Contributor:陳梅慧 Miffy、尤芷薇 Yoyo
This report’s newest version can be found here
原始中文報告請點此下載
Timeline of report publication
Publication of the Chinese report v1.2: April 12, 2024
Publication of the English report v1.2: Aug 06, 2024
Note: A full version of this report has been submitted to the relevant law enforcement agencies.
I. Background
“Creative Private Room” (創意私房), known as Taiwan’s version of the Nth Room, contains a large number of illegal underage sex videos. It has recently received a lot of attention because entertainer Mickey Huang (黃子佼), as its premium member, was revealed to have purchased videos from the platform. Xue Ruiyuan, Minister of Health and Welfare of Taiwan, also said in the Legislative Yuan on 10 April 2024, that he would issue a letter to the Ministry of Digital Affairs to block the “Creative Private Room” domain on the same day.
However, what happens after blocking? Who are these people profiting from child and youth sexual exploitation and clandestine photography? Can they be brought to justice?
In its Facebook fan page post, Block Trend (區塊勢), a longtime blockchain and cryptocurrency key opinion leader, utilized the global digital archive, the Wayback Machine, along with URLs to obtain the addresses of four non-custodial wallets used by “Creative Private Room” at different times:
Miffy Chen, a blockchain financial crime investigator at XREX, used the above wallet information and further tracked down where these four wallets distributed money after receiving it to purchase videos.
XREX released this report on the on-chain money flow as well as the technical analysis, which more accurately targeted the receivers behind “Creative Private Room” – those who gained profits from clandestine photography and sexual violence in the real world.
II. Questions this report tries to answer
- How many people have paid to obtain a “Creative Private Room” membership? How can we deduce their real identity from their wallets?
- What wallets do “Creative Private Room” use to receive payments? Who might be the holders of these wallets?
- Who does “Creative Private Room” transfer funds to after receiving money from their wallets?
- Why does “Creative Private Room” transfer funds to these wallets? What are the roles of these beneficiaries?
- How can on-chain evidence help law enforcement agencies take action?
- What is the overall financial flow and organizational hierarchy within the criminal structure of “Creative Private Room”?
- What tools and analytics are available on the blockchain that can be used as clues to find networks behind criminal syndicates?
III. Key takeaways of this report
The transaction details of the four wallets
Stakeholders potentially involved in the money flow of “Creative Private Room”
Notes:
- The reason for using the number of transactions to represent deposits into the “Creative Private Room” is that when users deposit funds from the exchange, it is sent out from the exchange’s hot wallet on the blockchain rather than from a wallet exclusive to a single user. Only if the exchange tries to match transaction details with its individual users, can you find out who is behind these transactions. The number of transactions does not directly represent the number of users; it could also be multiple transactions from a single user.
- Wallets used for recharging will each correspond to a unique wallet belonging to a single individual. Each wallet represents one person, making subsequent investigations and identifications easier.
- The number of deposit transactions and the number of receiving wallets may overlap among the four wallets of “Creative Private Room.”
The top 10 custodial wallets which received the most funds from “Creative Private Room”
Upon closer examination of possible actual beneficiaries, there are 10 custodial wallets that received more than 10,000 USDT (approximately NT$320,000) from the “Creative Private Room;” their associated exchanges include Binance, Max, ACE, and BingX. These 10 wallets also frequently receive funds transferred from these four wallets.
Top one custodial wallet” that benefited from the “Creative Private Room”
The custodial wallet receiving the highest amount of funds is TNFw********************4 on the Binance exchange. Using the wallet database tool OKLink, we found that this wallet has been active for three years.
Further observation with the Misttrack tool revealed that all five wallets associated with it are related to the “Creative Private Room.” From December 5, 2021, to April 29, 2023, this wallet consistently received funds from the “Creative Private Room,” totaling 73 transactions, and accumulating over 66,000 USDT, equivalent to over NT$2,000,000 in value, as depicted in the figure below:
Latest update on the “Creative Private Room” wallets
The most recent fund transfer among the four publicly disclosed “Creative Private Room” wallets occurred on April 10, 2024, at 23:19:18. Funds were transferred from the OKX exchange into the fourth receiving wallet of the “Creative Private Room,” identified as TA2G85LLXqtbcMwwZUKn4gDdQ9EkoHRp8V.
This indicates that this wallet is still frequently used and remains active.
IV. Blockchain intelligence tools used
Blockchain analysis platforms, which can visualize information about transaction records and addresses on the blockchain, are great tools for “blockchain detectives” to track money flows. These tools can also serve as instruments to monitor crypto whale movements.
V. Reveal the actual holders of four “Creative Private Room” wallets
Transferring tokens on the blockchain requires gas fees[1]. By tracing the source of gas fees, one can establish associations between wallets and seek information about actual holders.
Transferring TRC-20 USDT issued on the Tron blockchain requires payment in TRX for gas fees. We used the blockchain analysis tool Arkham to observe the TRX transaction interactions between the four receiving wallet addresses (which are obtained by Block Trend) used by the “Creative Private Room” at different times.
If a wallet frequently transfers USDT, it will likely deposit a large amount of TRX (to pay for gas fees). A structured and organized group, whether a fraudulent organization or a platform like the “Creative Private Room,” will exhibit such characteristics.
The graph below is a relationship graph generated by the Arkham visualization tool. It can be observed that the four wallets of the “Creative Private Room” in the middle have a common source of TRX. They also closely interact in TRX transactions, indicating a high likelihood that the same individual or group holds these four wallets.
From the graph above, it can be observed that the fourth wallet of the “Creative Private Room,” TA2G85LLXqtbcMwwZUKn4gDdQ9EkoHRp8V, received a deposit of 5,066 TRX from the MEXC exchange. This information can assist law enforcement agencies in retrieving the identity verification data of users from the MEXC exchange based on the unique transaction hash[2] associated with this transaction, thereby identifying the individual behind the scenes.
In addition to the aforementioned TRX transaction record, attempts were made to trace the preceding gas fee transactions. The first wallet, TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ, is the earliest created wallet among the four of the “Creative Private Room.” It initiated the first gas fee deposit on November 30, 2021, at 16:03:21.
Next, using the visualization tool Bitquery, we observed TRX sources and flows of the first wallet of the “Creative Private Room,” TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ, as shown in the graph below:
From the graph generated by Bitquery, we can observe the “hopping” relationship of TRX transfers of the “Creative Private Room,” where some wallets immediately transfer out the TRX they receive. The behavior of “quick in-and-out” funds is less common in typical transaction behavior and is one characteristic associated with suspicious transactions.
Based on the same graph, a more precise table is produced below. Sections marked in orange represent the four wallets of the “Creative Private Room.” This table starts from the first wallet, TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ, and examines the hopping relationship of proceeding and succeeding funds.
This table illustrates the hopping relationship between wallets and reveals the high correlation among the four wallets of the “Creative Private Room.” Additionally, specific characteristics of certain wallets, such as quick in-and-out behavior, association with particular exchanges, primary sources or destinations of TRX, etc., are highlighted below.
According to the above table, many TRX used to pay gas fees were transferred from Binance exchange to a decentralized non-custodial wallet before being transferred to the first wallet of the “Creative Private Room” TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ.
The table below summarizes these transaction hashes. Law enforcement agencies can obtain relevant identity verification information through the Binance exchange to find out who provided the TRX transaction fees required when transferring funds to the “Creative Private Room.”
We identified three wallets which provided the source of TRX and exhibited “quick in-and-out” behavior. Using the MistTrack tool for inspection as shown in the figure below, we can see that the four receiving wallets of the “Creative Private Room” are marked as “Illegal Service,” while green stars represent the “hopping” wallets.
On the far left is the hot wallet of Binance exchange, indicating that TRX was withdrawn from Binance user accounts to the “hopping” wallet and then transferred to receiving wallets of the “Creative Private Room” in a short period.
The transfer of TRX among these three wallets is indicated above the arrows in gray font, showing transaction times. After withdrawing TRX from the exchange, all transfers occurred within a few minutes, exhibiting organized characteristics of “quick in-and-out” and mass withdrawal for gas fee transfers.
The “hopping” wallet marked with a green star is: TMv9PwYkekUeSXwKR5Vpek4uGcAkGMaaUg
The “hopping” wallet marked with a green star is: TJnQv8rYMKTZEXzb8QgjTsGn9BRm2SPgjm
The “hopping” wallet marked with a green star is: TJxKcEZ1czkYB285sUeJ1FgX8d8hkVu4WP
VI. Reveal new members joining “Creative Private Room” through USDT payments
We used the Internet Time Machine (網路時光機) tool to track and review “Creative Private Room” posts. Although it’s the same post, editing records from different periods reveal that the “Creative Private Room” constantly adjusts its membership payment methods, wallet addresses used, and USDT exchange rates, among other things. Using wallet data from OKLink, we compiled 2,233 transactions of withdrawals from exchange hot wallets, which means deposits into the “Creative Private Room’s” four receiving wallets
It may be challenging to analyze wallet addresses and receive information about the “Creative Private Room” preserved by the Internet Time Machine because existing members likely deposit varying amounts or upgrade to premium memberships with different amounts. Additionally, transactions between individuals associated with any criminal group could further complicate our estimations due to the lack of public information.
However, based on available information, we can attempt to deduce the number of new incoming members the “Creative Private Room” attracted over different periods through these four receiving wallets, as the amount of each deposit should be within a certain range.
The edited time of “Creative Private Room’s” post preserved by the Internet Time Machine: August 12, 2022.
The edited time of “Creative Private Room’s” post preserved by the Internet Time Machine: January 28, 2023
The edited time of “Creative Private Room’s” post preserved by the Internet Time Machine: October 4, 2023
The edited time of “Creative Private Room’s” post preserved by the Internet Time Machine: April 9, 2024
Note: Recent records could not be preserved for the latest deposit wallet addresses. The website operator has changed the method to acquire wallet addresses to require email consultation. Therefore, this report utilizes wallet addresses from Block Trend posts for statistical purposes.
VII. Reveal beneficiaries behind “Creative Private Room”
Why did the four receiving wallets of the “Creative Private Room” resend received funds to other wallets? It’s evident that they have vested interests. By tracking the destination of USDT from the four receiving wallets, we can identify primary beneficiaries.
Who exactly receives money through the sale of illegal voyeuristic and exploitative videos? Their roles could range from website administrators, staff, video providers, operators, or equipment purchasers to the platform’s VIP members receiving refunds. This remains unknown and requires further investigation and analysis by law enforcement.
Notably, exchanges are the sole entities possessing user identity verification data. Therefore, locating the “custodial wallets” of the centralized exchanges is crucial. Through identity verification and other identifiable information, we can intersect and match the group behind “Creative Private Room.”
In the following graph, we provide an overview of the overall money flow of the four receiving wallets of the “Creative Private Room” using the visualization tool Bitquery. With charts and tables, we can identify wallets interacting with them and correlate them with the succeeding beneficiary wallets.
The first receiving wallet of “Creative Private Room”: TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ
The second receiving wallet of the “Creative Private Room”: TUQbf1PgWvxKethbrYLFY842UL6Z41RiKC
The third receiving wallet of the “Creative Private Room”: TPbRDKYYi5qT3Ayutw6NV31bvNX9zGivZx
The fourth receiving wallet of the “Creative Private Room”:
TA2G85LLXqtbcMwwZUKn4gDdQ9EkoHRp8V
With the help of Bitquery, we can identify upstream and downstream relationships of the “Creative Private Room’s” four wallets, but also observe that three out of the four receiving wallets have large amounts of funds transferred to a single wallet.
With the help of the blockchain analysis tool MistTrack, we compiled destinations of funds for the four receiving wallets and the two hopping wallets associated with the “Creative Private Room” to identify potential primary beneficiaries. The list of beneficiary wallets below includes only “custodial wallets” from centralized exchanges with accessible identity verification data; they are sorted by amount as shown in the table:
VIII. Compilation of traceable wallets associated with the “Creative Private Room”
Transaction hashes of gas fees paid for “Creative Private Room”
Beneficiary wallets receiving USDT from the “Creative Private Room” wallets (only listing “custodial wallets”)
###
About XREX Group
XREX Group is a blockchain-enabled financial institution working with banks, regulators, and users to redefine banking together. We provide services to businesses in or dealing with emerging markets, and novice-friendly financial services to individuals worldwide.
Founded in 2018, XREX offers a full suite of services such as digital asset custody, wallet, cross-border payment, fiat-crypto conversion, cryptocurrency exchange, asset management, and fiat currency on-off ramps.
Formerly known as the cybersecurity software company Armorize, XREX has over 15 years of experience in the international cybersecurity field, with expertise in both offensive and defensive techniques.
Sharing the social responsibility of financial inclusion, XREX leverages blockchain technologies to further financial participation, access, and education.
XREX Singapore operates under the Major Payments Institution (MPI) license issued by the Monetary Authority of Singapore (MAS). XREX Taiwan completed its Compliance Statements on Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) with Taiwan’s Financial Supervisory Commission (FSC) in March 2022 and is a regulated VASP.
—
[1]: Gas fee is the fuel users pay