# $5.3M Address Poisoning Network: Two Months Later

*Two months ago we exposed a $5.3M cross-chain address poisoning network. We came back. The network is bigger now — 854 new operator wallets, $16.8M USDT processed by the ETH collector, and the laundering trail leads to a CEX compliance gap.*

By [Building ChainAnalyzer](https://paragraph.com/@chainanalyzer) · 2026-04-25

web3, security, aml, defi, ethereum, polygon, avalanche

---

> _In February 2026, we exposed a cross-chain address poisoning network moving $5.3M across Avalanche, Ethereum, and Polygon. Two months later, we returned to the same wallets. The network is still running — and it's bigger._

* * *

TL;DR
-----

*   **854 new operator wallets** funded by the same Master Funder in the past 60 days
    
*   **$16.8M USDT** processed by the Ethereum collector from 1,450 unique senders
    
*   **$1.2M USDC** processed by the Polygon collector from 1,100 unique senders
    
*   Two addresses we previously labeled as "whale co-conspirators" are almost certainly **exchange / OTC hot wallets** — laundering starts at a CEX compliance gap, not a conspiracy
    
*   Wallet rotation theory **confirmed**: operator addresses turn over on a 2-3 month cycle, making static blacklists obsolete by design
    

The investigation publicity did not deter the network. It accelerated.

* * *

Recap — What We Found in February
---------------------------------

In our [February 2026 investigation](https://chain-analyzer.com/news/address-poisoning-network), we traced:

*   **264+ operator wallets** distributing 50+ Unicode-impersonation fake token contracts (Cyrillic `UЅDT`, Lisu `ꓴꓢꓓt`, zero-width invisibles)
    
*   **6,892+ poisoned addresses** across three chains
    
*   **$5.3M total capital moved**, including **176M yen of JPYC**
    
*   A **single Master Funder** at `0x54cdcbdb…` — 16,226 AVAX balance, 1,585 lifetime recipients, ~53% confirmed operators
    
*   Two laundering collectors on Ethereum ($2.67M USDT) and Polygon ($788K USDC)
    
*   A proven relay pattern: **victim → look-alike → relay → collector, 34 minutes end-to-end**
    

The question we left open: _does this network dismantle itself after exposure, or does it keep running?_

We came back two months later. Here's what we found.

* * *

Methodology
-----------

On 2026-04-20, we re-pulled on-chain state for every address flagged in the February report — using **Routescan** (Avalanche, keyless), **Etherscan V2** (Ethereum and Polygon, free API key),  
and **ChainAnalyzer's Neo4j graph** for cross-chain correlation.

Every number in this post is **reproducible against public on-chain data** as of 2026-04-20 06:45 UTC.

* * *

Headline Deltas
---------------

Address

Role

Feb 17, 2026

Apr 20, 2026

Delta

`0x54cdcbdb…`

Master Funder

16,226 AVAX

**12,254 AVAX**

**−3,972 AVAX** disbursed

`0x54cdcbdb…`

Recipients

1,585 (cumulative)

**2,439+**

**+854** new destinations

`0xbca34ed5…`

ETH Collector

$2.67M USDT

**$5.97M USDT**

**+$3.30M (+124%)**

`0xa6380bfd…`

POL Collector

249K POL + $788K USDC

511K POL + $348K USDC

+262K POL, −$440K (laundered)

`0xa081aa46…`

POL mass-poison funder

$12.55

**23,435 POL (~$24K)**

**+1,870×**

`0x3bce63c6…`

"142K AVAX whale"

141,904 AVAX

168,901 AVAX

+27K AVAX

`0x9f8c163c…`

"Top source"

(5,077 AVAX traced)

**1,688,967 AVAX (~$42M)**

full profile now visible

`0xb2de52d8…`

Primary operator

Active until 2026-02-15

**Dead** since 2026-02-15

✅ rotated out

`0x03309000…`

Active operator

Active 2026-02-17

**Depleted on 3 chains**, last TX 2026-04-15

✅ rotated out

`0x4226dd74…`

Main deployer (39 contracts)

1.46 AVAX, active

**Still active** (2026-04-20 06:39)

Zero new deployments

`0x64424853…`

Lisu deployer

Active

**Dormant** since 2025-12-23

Retired

Three things happened in parallel: aggressive new operator recruitment, continued laundering of victim funds into collectors, and systematic retirement of old operator wallets exactly as  
wallet-rotation theory predicted.

* * *

1\. The Master Funder Keeps Recruiting
--------------------------------------

We pulled the most recent 10,000 transactions from `0x54cdcbdb…`. After filtering to outflows since 2026-02-17:

*   **1,119 outbound AVAX transfers**
    
*   **49,441 AVAX sent total** (~$1.24M at $25/AVAX)
    
*   **854 unique destination addresses** — none of which received funds before 2026-02-17
    

To put that in scale: the February investigation covered **1,585 lifetime recipients**. In the two months since, the Master Funder added another **854 recipients** — _an expansion of 54% of  
the prior lifetime count, in 60 days._

### Top 10 New Destinations (Since Feb 17)

Destination

AVAX received

First TX

Last TX

TX count

`0x33a089cb…`

**9,722**

2026-03-02

2026-03-02

1

`0xf57a1140…`

**9,297**

2026-03-13

2026-03-13

1

`0x6f7e6fdf…`

**7,622**

2026-04-02

2026-04-02

1

`0xd7b9b792…`

3,677

2026-03-10

**2026-04-19**

38

`0x0808469a…`

1,794

2026-02-20

2026-03-10

13

`0xeae12a48…`

1,389

2026-04-10

2026-04-10

2

`0xe36d6080…`

1,061

2026-03-04

2026-04-02

3

`0x6632f500…`

1,032

2026-02-24

2026-03-06

3

`0x89b8678f…`

856

2026-04-03

2026-04-18

10

`0x951aa58d…`

844

2026-02-17

**2026-04-17**

7

The single-TX recipients receiving 7,000–10,000 AVAX in one shot look like fresh operator-funding events. The multi-TX recipients (38 transactions over a month) are mid-tier active operators.

The investigation exposing this network didn't slow it down. **If anything, Master Funder activity accelerated.**

* * *

2\. The "Top Source" Was Not a Co-Conspirator
---------------------------------------------

In February we noted a funder at `0x9f8c163c…` that had sent 5,077 AVAX to the Master Funder but which we hadn't fully traced. Two months of additional data make clear: **this address is  
almost certainly an exchange or OTC hot wallet**, not part of the criminal network.

Evidence:

*   Current balance: **1,688,967 AVAX (~$42M)**
    
*   First traceable activity: **2021-09-06** — pre-dates the entire poisoning operation by 4+ years
    
*   2.7M AVAX inflow + 2.4M AVAX outflow in the last ~10,000 transactions alone
    
*   Behavior pattern today: hundreds of zero-value `transfer` calls per day, occasional `execute` calls on a router, small payments to fresh addresses — **classic CEX hot-wallet idle /  
    withdrawal fingerprint**
    
*   Active on Ethereum and Polygon too — cross-chain hot wallet footprint
    

The 5,077 AVAX it once sent to the Master Funder was, in all likelihood, a **regular withdrawal from a centralized exchange**. The operator walked up to a CEX counter, withdrew AVAX, and walked away.

That's not a conspiracy. **That's a compliance gap at the exchange.**

Similarly, `0x3bce63c6…` ("142K AVAX whale") — balance 168,901 AVAX, active today (last TX 2026-04-20 06:40 UTC), same hot-wallet fingerprint. Its 40 AVAX contribution to the primary operator in February was likely another exchange withdrawal.

> **Conclusion:** there is no whale co-conspirator. The laundering-side money originates at one or two major exchanges that have poor outbound AML controls. This is actionable — and probably  
> **SAR-worthy** if you're an agency.

* * *

3\. The Collectors Are Busier Than Ever
---------------------------------------

### Ethereum Collector `0xbca34ed5…`

Metric

Feb 17

Apr 20

USDT balance

$2,665,507

**$5,970,800 (+124%)**

USDT received since Feb 17

—

**$16,865,450** from 1,450 unique senders (2,574 TXs)

USDT sent out since Feb 17

—

$15,134,814 (5,693 TXs)

Last activity

—

2026-04-20 06:38 UTC

In two months, this address handled **$16.9M USDT inflow from 1,450 senders** and $15.1M outflow. Net +$1.73M. At this velocity, the collector processes more USDT in **one week** than its entire Feb 17 balance.

### Polygon Collector `0xa6380bfd…`

Metric

Feb 17

Apr 20

USDC balance

$788,521

$348,256 (−56%)

POL balance

249,588

**511,722 (+106%)**

USDC received since Feb 17

—

**$1,201,642** from 1,100 unique senders (2,111 TXs)

USDC sent out since Feb 17

—

$1,633,777 (3,399 TXs)

Last activity

—

2026-04-20 06:40 UTC

The USDC balance dropped because **they're laundering it downstream**, not because victim flow stopped. **1,100 unique senders in two months** is up from 715 total in February. The relay pattern (victim → relay → collector within ~34 minutes) is still producing the majority of those inflows.

* * *

4\. Wallet Rotation Was Real
----------------------------

In February we theorized that operator wallets are disposable. The data now confirms it:

*   **Primary operator** `0xb2de52d8…` — last activity 2026-02-14, **3 days before we published**. Dead ever since.
    
*   **Active operator** `0x03309000…` — was active on all three chains in February. Today: AVAX depleted (last TX 2026-04-15), ETH depleted (last TX 2026-03-04), POL near-zero (last TX  
    2026-02-25)
    
*   **Top operator** `0x0808469a…` — received another 1,794 AVAX late Feb to early March, then quiet. 80 AVAX remains
    
*   **Lisu deployer** `0x64424853…` — dormant since 2025-12-23
    

The 854 fresh destinations the Master Funder has been seeding since Feb 17 are **exactly the replacements**. The operator population turns over on a roughly 2-3 month cycle.

> **Implication for AML teams:** address blacklists decay. A list of operator addresses from February is 30–50% stale by April. Detection has to operate at the **fund-flow and behavioral  
> level**, not the static-address level — which is exactly the design of ChainAnalyzer's [Follow Mode](https://chain-analyzer.com/news/follow-mode) and graph-clustering detectors.

* * *

5\. The Mass-Poisoning Funder Paid Off
--------------------------------------

Perhaps the single most striking data point: the Polygon mass-poisoning funder at `0xa081aa46…` spent just **$12.55** to poison 6,874 addresses in January.

Today, that address holds **23,435 POL (~$24K)**. Active, last TX 2026-04-20 00:14 UTC.

From **$12.55 to $24,000+** — _a 1,870× return on capital in 3 months_, before even counting any funds it has already moved downstream.

That's the entire economic argument for why this attack class is not going away without active defense.

* * *

6\. The Deployer Hasn't Shipped New Contracts — It Doesn't Need To
------------------------------------------------------------------

`0x4226dd7419b1431f512d82a2c9e5fa1597fb1077` was the main fake-token deployer responsible for **39 Unicode-impersonation contracts**. We checked whether it has deployed new contracts since Feb 17.

**Zero new deployments. 200 other transactions.**

The existing 39 contracts are still being used to mint and transfer fake tokens. The deployer is operational but not creating — meaning typical "contract creation detection" signals **miss  
this operator entirely** during the period it's most active.

* * *

What This Changes
-----------------

### For victims and potential victims

The network exposing itself to public investigation did not cause it to shut down. Every protective behavior we recommended in February still applies, with **more urgency**:

*   Never copy addresses from TX history
    
*   Compare character-by-character
    
*   Treat unsolicited tokens as a targeting signal
    
*   Screen destinations before sending
    

ChainAnalyzer does this free at [chain-analyzer.com](https://chain-analyzer.com). The [MCP server](https://chain-analyzer.com/news/mcp-server-launched) lets AI agents do it automatically before signing.

### For exchanges

Two addresses — `0x9f8c163c…` and `0x3bce63c6…` — have together funded wallets seeding thousands of poisoning operators. Our review strongly suggests these are **exchange or OTC hot wallets**. If they are yours, your withdrawal-side AML controls have a blind spot specific to address-poisoning actors. We would welcome a [conversation](https://chain-analyzer.com/contact_us).

### For AML teams and regulators

Address-based blacklists decay within 2–3 months for this attack class because of deliberate wallet rotation. Effective detection has to operate at the **fund-flow and graph level**.

ChainAnalyzer's detector suite is explicitly designed around this:

*   **P2 ADDRESS\_POISONING** for Unicode impersonation signatures
    
*   **W9 / W10 bridge detectors** for cross-chain laundering
    
*   **Follow Mode** for automatic BFS graph exploration
    
*   **Exchange DB** with 60+ known CEX hot wallets
    

### For Japan-market crypto operators

The **176M yen of JPYC** observed in this network in February — and the continued operator expansion since — continues to indicate that **Japanese retail users are specifically in the  
crosshairs**.

[ChainAnalyzer's JPYC AML coverage](https://chain-analyzer.com/news/jpyc-aml-support) was built for exactly this. If your product uses JPYC for B2B settlement, creator payouts, or EC payment  
acceptance, **pre-transfer screening is no longer optional**.

* * *

Takeaways
---------

*   The $5.3M network is now **materially larger** than when we published the February report. The investigation publicity did not deter it; **it accelerated**
    
*   854 new operator wallets funded by the single Master Funder in 60 days. Operator population rotates on a 2-3 month cycle
    
*   The Ethereum collector processed $16.8M USDT from 1,450 senders; the Polygon collector processed $1.2M USDC from 1,100 senders. **Real victims, real money, active every day**
    
*   Two "whale co-conspirators" are almost certainly exchange / OTC hot wallets. **The laundering stack starts at a compliance gap inside those exchanges**
    
*   The fake-token deployer has not shipped new contracts in two months. The existing 39 contracts suffice. **Contract-creation-based detection misses this**
    
*   For retail Web3, the defense is pre-transfer address screening. For AI agents, the defense is automatic screening via the ChainAnalyzer MCP server at **$0.008 per check**
    

We'll follow up again in 2-3 months. In the meantime, every new operator the Master Funder seeds between now and then will be tagged and propagated to **ScamDB** and the ChainAnalyzer detector suite automatically via Follow Mode.

* * *

Try It Yourself
---------------

Any of the addresses above can be scanned free at [chain-analyzer.com](https://chain-analyzer.com). Or programmatically:

*   **REST API** → [/docs/api](https://chain-analyzer.com/docs/api)
    
*   **x402 pay-per-request** → [/docs/x402](https://chain-analyzer.com/docs/x402) ($0.008–$0.05 per call, no signup)
    
*   **MCP server** → `npx chainanalyzer-mcp` ([Claude Desktop / Claude Code / ChatGPT / Gemini compatible](https://chain-analyzer.com/news/mcp-server-launched))
    

If you find new operator wallets the Master Funder has seeded, [report them to ScamDB](https://chain-analyzer.com/scamdb).

* * *

_Originally published at_ [_chain-analyzer.com/news/address-poisoning-network-followup_](https://chain-analyzer.com/news/address-poisoning-network-followup)_._  
_Prior investigation:_ [_The $5.3M Address Poisoning Network_](https://chain-analyzer.com/news/address-poisoning-network) _(February 2026)._  
_ENS:_ [_chainanalyzer.eth_](https://app.ens.domains/chainanalyzer.eth) _·_ [_Engineering blog_](https://blog.chain-analyzer.com)

---

*Originally published on [Building ChainAnalyzer](https://paragraph.com/@chainanalyzer/address-poisoning-network-2-months-later)*
