8億円規模のアドレスポイズニング犯罪ネットワーク — 2ヶ月後のフォローアップ調査

Recap — What We Found in February 2026

In February we traced:

• 264+ operator wallets distributing 50+ Unicode-impersonation fake token contracts (Cyrillic UЅDT, Lisu ꓴꓢꓓt, zero-width invisibles)
• 6,892+ poisoned addresses across three chains
• $5.3M total capital moved including 176M yen of JPYC
• A single Master Funder at 0x54cdcbdba40e294e8832230db706cee76e1f20f3 — 16,226 AVAX balance, 1,585 recipients, 53% confirmed operators
• Two collectors on Ethereum ($2.67M USDT) and Polygon ($788K USDC)
• A proven relay pattern: victim → look-alike → relay → collector, 34 minutes end-to-end

The question we left open: does this network dismantle itself after being exposed, or does it keep running?

Follow-Up Methodology

On 2026-04-20 we pulled on-chain state for every address flagged in the February report, using Routescan (Avalanche, keyless), Etherscan V2 (Ethereum and Polygon, free API key), and ChainAnalyzer's own Neo4j graph for cross-chain correlation.

For each address we compared native balance, stablecoin holdings, last-TX timestamp, and activity since 2026-02-17. Every number below is reproducible against public on-chain data as of 2026-04-20 06:45 UTC.

Headline Deltas

Three things happened in parallel: aggressive new operator recruitment, continued laundering of victim funds into collectors, and systematic retirement of old operator wallets exactly as wallet-rotation theory predicted.

1. The Master Funder Keeps Recruiting

We fetched the most recent 10,000 transactions from the Master Funder. After filtering to outflows since 2026-02-17:

• 1,119 outbound AVAX transfers
• Total sent: 49,441 AVAX (~$1.24M at $25/AVAX)
• 854 unique destination addresses — none of which received funds before 2026-02-17

To put that in scale: the February investigation covered 1,585 lifetime recipients. In the two months since, the Master Funder added another 854 recipients — an expansion of 54% of the prior lifetime count, in 60 days.

The top ten new destinations since Feb 17:

The investigation exposing this network did not slow it down. If anything, Master Funder activity accelerated.

2. The "Top Source" Was Not a Co-Conspirator

In February we noted a funder at 0x9f8c163c… that had sent 5,077 AVAX to the Master Funder but which we had not fully traced. Two months of additional data make clear: this address is almost certainly an exchange or OTC hot wallet, not part of the criminal network.

Evidence:

• Current balance: 1,688,967 AVAX (~$42M)
• First traceable activity: 2021-09-06 (pre-dates the entire poisoning operation by 4+ years)
• 2.7M AVAX inflow + 2.4M AVAX outflow in the last ~10,000 transactions alone
• Behavior pattern today: hundreds of 0-value transfer calls per day, occasional execute calls on a router, small payments to fresh addresses — classic CEX hot-wallet idle / withdrawal fingerprint
• Active on Ethereum and Polygon too — cross-chain hot wallet footprint

The 5,077 AVAX it once sent to the Master Funder was, in all likelihood, a regular withdrawal from a centralized exchange. The poisoning operator walked up to a CEX counter, withdrew AVAX, and walked away. That's not a conspiracy; that's a compliance gap at the exchange.

Similarly, 0x3bce63c6 ("142K AVAX whale") — balance 168,901 AVAX, active today (last TX 2026-04-20 06:40 UTC), same hot-wallet fingerprint. Its 40 AVAX contribution to the primary operator in February was likely another exchange withdrawal.

Conclusion: there is no whale co-conspirator. The laundering-side money originates at one or two major exchanges that have poor outbound AML controls. This is actionable — and probably SAR-worthy if you're an agency.

3. Collectors — The Laundering Front-End Is Busier Than Ever

Ethereum collector 0xbca34ed5

In two months, this address handled $16.9M USDT inflow from 1,450 senders and $15.1M outflow. Net +$1.73M. At this velocity, the collector processes more USDT in one week than its entire Feb 17 balance.

Polygon collector 0xa6380bfd

The USDC balance dropped because they are laundering it downstream, not because victim flow stopped. 1,100 unique senders in two months is up from 715 total in February. The relay pattern (victim → relay → collector within ~34 minutes) is still producing the majority of those inflows.

4. Wallet Rotation Was Real

One thing we theorized in February was that operator wallets are disposable. The data now confirms it:

• Primary operator 0xb2de52d8 — last activity 2026-02-14, 3 days before we published. Dead ever since.
• Active operator 0x03309000 — was active on all three chains in February. Today: AVAX depleted, last TX 2026-04-15; ETH depleted, last TX 2026-03-04; POL near-zero, last TX 2026-02-25.
• Top operator 0x0808469a — received another 1,794 AVAX late Feb to early March, then quiet. 80 AVAX remains.
• Lisu deployer 0x64424853 — dormant since 2025-12-23.

The 854 fresh destinations the Master Funder has been seeding since Feb 17 are exactly the replacements. The operator population turns over on a roughly 2-3 month cycle.

This has an interesting implication for AML teams: address blacklists decay. A list of operator addresses from February is 30-50% stale by April. Detection has to operate at the fund-flow and behavioral level, not at the static-address level — which is exactly the design of ChainAnalyzer's Follow Mode and graph-clustering detectors.

5. The Mass-Poisoning Funder Paid Off

Perhaps the single most striking data point: the Polygon mass-poisoning funder at 0xa081aa46 spent just $12.55 to poison 6,874 addresses in January.

Today, that address holds 23,435 POL (~$24K). Active, last TX 2026-04-20 00:14 UTC. From $12.55 to $24,000+ — a 1,870× return on capital in 3 months, before even counting any funds it has already moved downstream.

That's the entire economic argument for why this attack class is not going away without active defense.

6. The Deployer Hasn't Shipped New Contracts — It Doesn't Need To

0x4226dd7419b1431f512d82a2c9e5fa1597fb1077 was the main fake-token deployer responsible for 39 Unicode-impersonation contracts. We checked whether it has deployed new contracts since Feb 17.

Zero new deployments. 200 other transactions.

The existing 39 contracts are still being used to mint and transfer fake tokens. The deployer is operational but not creating — meaning typical "contract creation detection" signals miss this operator entirely during the period they're most active.

Updated Network Topology

What This Changes

For victims and potential victims

The network exposing itself to public investigation did not cause it to shut down. Every protective behavior we recommended in February still applies, with more urgency: never copy addresses from TX history, compare character-by-character, treat unsolicited tokens as a targeting signal, screen destinations before sending. ChainAnalyzer does this free at chain-analyzer.com. The MCP server lets AI agents do it automatically before signing.

For exchanges

Two addresses — 0x9f8c163c and 0x3bce63c6 — have together funded wallets seeding thousands of poisoning operators. Our review strongly suggests these are exchange or OTC hot wallets. If they are yours, your withdrawal-side AML controls have a blind spot specific to address-poisoning actors. We would welcome a conversation.

For AML teams and regulators

Address-based blacklists decay within 2-3 months for this attack class because of deliberate wallet rotation. Effective detection has to operate at the fund-flow and graph level. ChainAnalyzer's detector suite is explicitly designed around this: P2 ADDRESS_POISONING for Unicode impersonation signatures, W9/W10 bridge detectors for cross-chain laundering, Follow Mode for automatic BFS graph exploration, and an Exchange DB with 60+ known CEX hot wallets.

For Japan-market crypto operators

The 176M yen of JPYC observed in this network in February — and the continued operator expansion since — continues to indicate that Japanese retail users are specifically in the crosshairs. ChainAnalyzer's JPYC AML coverage was built for exactly this. If your product uses JPYC for B2B settlement, creator payouts, or EC payment acceptance, pre-transfer screening is no longer optional.

Takeaways

• The $5.3M network is now materially larger than it was when we published the February report. The investigation publicity did not deter it; it accelerated.
• 854 new operator wallets funded by the single Master Funder in 60 days. Operator population rotates on a 2-3 month cycle.
• The Ethereum collector processed $16.8M USDT from 1,450 senders; the Polygon collector processed $1.2M USDC from 1,100 senders. Real victims, real money, active every day.
• Two "whale co-conspirators" are almost certainly exchange / OTC hot wallets. The laundering stack starts at a compliance gap inside those exchanges.
• The fake-token deployer has not shipped new contracts in two months. The existing 39 contracts suffice. Contract-creation-based detection misses this.
• For retail Web3, the defense is pre-transfer address screening. For AI agents, the defense is automatic screening via the ChainAnalyzer MCP server at $0.008 per check.

We will follow up again in 2-3 months. In the meantime, every new operator the Master Funder seeds between now and then will be tagged and propagated to ScamDB and the ChainAnalyzer detector suite automatically via Follow Mode.

Try It Yourself

Any of the addresses above can be scanned free at chain-analyzer.com. Or programmatically via the REST API, x402 pay-per-request endpoints, or the MCP server from any AI agent.

If you find new operator wallets the Master Funder has seeded, please report them to ScamDB.