DEV Community

Cover image for $5.3M Address Poisoning Network — 2 Months Later: The Follow-Up
Kenzo ARAI
Kenzo ARAI

Posted on

$5.3M Address Poisoning Network — 2 Months Later: The Follow-Up

#blockchain #addresspoisoning #investigation #onchain

By refinancier, inc. / ChainAnalyzer — 2026-04-20

TL;DR — On 2026-02-17 we published an investigation identifying a cross-chain address poisoning network moving $5.3M across Avalanche, Ethereum, and Polygon, with 264+ operator wallets funded by a single "Master Funder" (0x54cdcbdb...). Two months later, we returned to the same wallets. The network is still active, the Master Funder has disbursed another $1.24M in AVAX to 854 new destination addresses, and the Ethereum collector received $16.8M USDT during the interval. We also re-classified two addresses we had previously labeled as "whale funders" — they are almost certainly exchange / OTC hot wallets, not co-conspirators. Full comparison below.

Recap — What We Found in February 2026

In February we traced:

  • 264+ operator wallets distributing 50+ Unicode-impersonation fake token contracts (Cyrillic UЅDT, Lisu ꓴꓢꓓt, zero-width invisibles)
  • 6,892+ poisoned addresses across three chains
  • $5.3M total capital moved including 176M yen of JPYC
  • A single Master Funder at 0x54cdcbdba40e294e8832230db706cee76e1f20f3 — 16,226 AVAX balance, 1,585 recipients, of which 53% were confirmed poisoning operators
  • Two collectors: Ethereum (0xbca34ed5... = $2.67M USDT) and Polygon (0xa6380bfd... = $788K USDC)
  • Proven relay pattern: on Polygon, a victim sent 2,800 USDC to a relay wallet after seeing a look-alike address in their history; 34 minutes later that USDC was forwarded to the collector

For the full February findings: original investigation writeup.

The question we left open: does this network dismantle itself after being exposed, or does it keep running?

Follow-Up Methodology

On 2026-04-20 we pulled on-chain state for every address flagged in the February report, using:

  • Routescan (Avalanche C-Chain, keyless)
  • Etherscan V2 (Ethereum + Polygon, same API key)
  • ChainAnalyzer's own Neo4j graph for cross-chain correlation

For each address we compared:

  1. Native token balance (Feb 17 → Apr 20)
  2. Last transaction timestamp
  3. Stablecoin holdings (USDT, USDC, USDC.e, POL)
  4. New funding activity since 2026-02-17
  5. Contract deployment activity (for the fake-token deployer)

Every number below is reproducible against public on-chain data as of 2026-04-20 06:45 UTC.

Headline Deltas

Address Role Feb 17, 2026 Apr 20, 2026 Delta
0x54cdcbdb Master Funder 16,226 AVAX 12,254 AVAX −3,972 AVAX (disbursed)
0x54cdcbdb Master Funder 1,585 recipients (cumulative) 2,439+ recipients +854 new destinations in 2 months
0xbca34ed5 ETH Collector $2.67M USDT $5.97M USDT +$3.30M (+124%)
0xa6380bfd POL Collector 249K POL + $788K USDC 511K POL + $348K USDC +262K POL, −$440K USDC (laundered out)
0xa081aa46 POL mass-poison funder Balance: $12.55 23,435 POL (~$24K) +1,870×
0x3bce63c6 "142K AVAX whale" 141,904 AVAX 168,901 AVAX +27K AVAX
0x9f8c163c "Top source" (only 5,077 AVAX traced) 1,688,967 AVAX (~$42M) (full profile now visible)
0xb2de52d8 Primary operator Active until 2026-02-15 Dead — no activity since 2026-02-15 ✅ rotated out
0x03309000 Active operator Active 2026-02-17 Depleted across 3 chains — last AVAX activity 2026-04-15 ✅ rotated out
0x4226dd74 Main deployer (39 fake contracts) 1.46 AVAX, active Still active as of 2026-04-20 06:39 UTC Still used for poisoning — no NEW deployments
0x64424853 Lisu deployer (cross-chain) Active Dormant since 2025-12-23 Likely retired

Three things happened in parallel: aggressive new operator recruitment, continued laundering of victim funds into collectors, and systematic retirement of old operator wallets exactly as wallet-rotation theory predicted.

1. The Master Funder Keeps Recruiting

We fetched the most recent 10,000 transactions from the Master Funder (0x54cdcbdb). After filtering to outflows since 2026-02-17, the numbers are:

  • 1,119 outbound AVAX transfers
  • Total sent: 49,441 AVAX (~$1.24M at $25/AVAX)
  • 854 unique destination addresses — none of which received funds before 2026-02-17

To put that in scale: the February investigation covered 1,585 lifetime recipients. In the two months since, the Master Funder added another 854 recipients — an expansion of 54% of the prior lifetime count, in 60 days.

The top ten new destinations since Feb 17:

Destination AVAX received First TX Last TX TX count
0x33a089cb 9,722 2026-03-02 2026-03-02 1
0xf57a1140 9,297 2026-03-13 2026-03-13 1
0x6f7e6fdf 7,622 2026-04-02 2026-04-02 1
0xd7b9b792 3,677 2026-03-10 2026-04-19 38
0x0808469a 1,794 2026-02-20 2026-03-10 13
0xeae12a48 1,389 2026-04-10 2026-04-10 2
0xe36d6080 1,061 2026-03-04 2026-04-02 3
0x6632f500 1,032 2026-02-24 2026-03-06 3
0x89b8678f 856 2026-04-03 2026-04-18 10
0x951aa58d 844 2026-02-17 2026-04-17 7

Four patterns jump out:

  1. Single large bursts to fresh wallets (9,722 / 9,297 / 7,622 AVAX in one transaction, then the destination goes quiet). Classic "seed a new operator and let it run autonomously" behavior.
  2. Steady multi-TX relationships with certain destinations (0xd7b9b792 received 38 separate transfers between Mar 10 and Apr 19). These look like infrastructure wallets rather than operators — possibly paying gas or topping up the deployer.
  3. Continuity with the old network — the address 0x0808469a that was the top operator in the February report received another 1,794 AVAX between Feb 20 and Mar 10, then went dormant again.
  4. Activity continuing to today0xd7b9b792 last received AVAX on 2026-04-19, 24 hours before we ran this query. 
gantt
    title Master Funder outflow velocity
    dateFormat YYYY-MM-DD
    axisFormat %b-%d
    section Before investigation
    Lifetime recipients (1585)   :done, 2022-10-01, 2026-02-17
    section Since Feb 17 report
    New recipients (+854)        :active, 2026-02-17, 2026-04-20
Enter fullscreen mode Exit fullscreen mode

The investigation exposing this network did not slow it down. If anything, Master Funder activity accelerated.

2. The "Top Source" Was Not a Co-Conspirator

In February we noted a funder at 0x9f8c163c... that had sent 5,077 AVAX to the Master Funder but which we had not fully traced. We tentatively labeled it "TOP SOURCE."

Two months of additional data make clear: this address is almost certainly an exchange or OTC hot wallet, not part of the criminal network.

Evidence:

  • Current balance: 1,688,967 AVAX (~$42M at $25/AVAX)
  • First traceable activity: 2021-09-06 (pre-dates the entire poisoning operation by 4+ years)
  • 2.7M AVAX inflow + 2.4M AVAX outflow in the last ~10,000 transactions alone
  • Behavior pattern today (2026-04-20 06:32 UTC):
    • Hundreds of 0-value transfer calls per day to the same destination (0x26debd39...) — classic hot-wallet idle ping / smart-contract calldata pattern
    • Occasional execute calls on 0xee7ae85f... — looks like a router or batcher
    • Small transfer operations to fresh addresses with amounts that resemble customer withdrawals (0.19 AVAX, 1.36 AVAX, 25 AVAX)
  • Active on Ethereum (3 TXs) and Polygon (5 TXs) too — cross-chain hot wallet footprint

The 5,077 AVAX it once sent to the Master Funder was, in all likelihood, a regular withdrawal from a centralized exchange. The poisoning operator walked up to a CEX counter, withdrew AVAX, and walked away. That's not a conspiracy; that's a compliance gap at the exchange.

Similarly, we revise our view of 0x3bce63c6 ("142K AVAX whale"). Current balance 168,901 AVAX, active today (last activity 2026-04-20 06:40 UTC), high-frequency 0-value calls to the same contract endpoints as 0x9f8c163c, occasional outbound payments of various sizes to fresh wallets. Same hot-wallet fingerprint. Its 40 AVAX contribution to the primary operator in February was likely another exchange withdrawal.

Conclusion: there is no whale co-conspirator. The laundering-side money originates at one or two major exchanges that have poor outbound AML controls. This is actionable — and probably a SAR-worthy report to those exchanges if you're an agency.

3. Collectors: The Laundering Front-End Is Busier Than Ever

The two collector addresses — 0xbca34ed5 on Ethereum and 0xa6380bfd on Polygon — are the points where victim funds converge. Their 2-month activity is the best single indicator of whether victims are still being extracted.

Ethereum collector 0xbca34ed5

Metric Feb 17 Apr 20
USDT balance $2,665,507 $5,970,800 (+124%)
USDT received since Feb 17 $16,865,450 from 1,450 unique senders (2,574 TXs)
USDT sent out since Feb 17 $15,134,814 (5,693 TXs)
Last activity 2026-04-20 06:38 UTC

In two months, this address handled $16.9M USDT inflow from 1,450 senders and $15.1M outflow. Net +$1.73M. At this velocity, the collector processes more USDT in one week than its entire Feb 17 balance.

We flagged in February that the Ethereum collector is primarily a trading hub with poisoning as a side channel, and that characterization still fits — but the side channel is much larger than it appeared.

Polygon collector 0xa6380bfd

Metric Feb 17 Apr 20
USDC balance $788,521 $348,256 (−56%)
POL balance 249,588 511,722 (+106%)
USDC received since Feb 17 $1,201,642 from 1,100 unique senders (2,111 TXs)
USDC sent out since Feb 17 $1,633,777 (3,399 TXs)
Last activity 2026-04-20 06:40 UTC

The USDC balance dropped because they are laundering it downstream, not because victim flow stopped. In fact, the opposite: 1,100 unique senders in two months is up from the 715 total sender count we observed in February. The relay pattern we documented in February (victim → relay → collector within ~34 minutes) is still producing the majority of those inflows.

The POL balance more than doubled, suggesting profit-taking or gas/ops reserves building up.

flowchart LR
    subgraph "Feb 17, 2026 — Snapshot"
    A1[1,585 MF recipients]
    B1[ETH col: $2.67M USDT]
    C1[POL col: 249K POL + $788K USDC]
    end

    subgraph "Apr 20, 2026 — Follow-up"
    A2[2,439+ MF recipients<br/>+854 in 60 days]
    B2[ETH col: $5.97M USDT<br/>+$3.3M net, $16.8M gross flow]
    C2[POL col: 511K POL + $348K USDC<br/>$1.2M gross inflow from 1,100 senders]
    end

    A1 -->|60 days| A2
    B1 -->|60 days| B2
    C1 -->|60 days| C2
Enter fullscreen mode Exit fullscreen mode

4. Wallet Rotation Was Real

One thing we theorized in February was that operator wallets are disposable — used for a few weeks, then retired as new ones spin up. The data now confirms it:

  • Primary operator 0xb2de52d8 — last activity 2026-02-14, 3 days before we published. Dead ever since. Balance: 0 AVAX.
  • Active operator 0x03309000 — was active on all three chains in February. Today:
    • AVAX: depleted, last TX 2026-04-15 (5 days before we pulled this data)
    • ETH: depleted, last TX 2026-03-04
    • POL: 0.001 POL, last TX 2026-02-25
  • Top operator 0x0808469a — received another 1,794 AVAX in late Feb to early March, then quiet again. 80 AVAX remains.
  • Lisu deployer 0x64424853 — dormant since 2025-12-23. No new Lisu-script contracts since.

The 854 fresh destinations the Master Funder has been seeding since Feb 17 are exactly the replacements. The operator population turns over on a roughly 2-3 month cycle.

This has an interesting implication for AML teams: address blacklists decay. A list of operator addresses from February is 30-50% stale by April. Detection has to operate at the fund-flow and behavioral level, not at the static-address level — which is exactly the design of ChainAnalyzer's Follow Mode and graph-clustering detectors.

5. The Mass-Poisoning Funder Paid Off

Perhaps the single most striking data point:

The Polygon mass-poisoning funder at 0xa081aa46 spent just $12.55 to poison 6,874 addresses in January. We flagged this as one of the highest-ROI crimes we'd ever seen and suggested that even a single successful victim would 100x the investment.

Today, that address holds 23,435 POL (~$24K at $1/POL). It is still active — last transaction 2026-04-20 00:14 UTC, six hours before we queried it.

From $12.55 to $24,000+. A 1,870× return on capital in roughly 3 months — before even counting any funds it has already moved downstream.

That's the entire economic argument for why this attack class is not going away without active defense.

6. The Deployer Hasn't Shipped New Contracts — It Doesn't Need To

0x4226dd7419b1431f512d82a2c9e5fa1597fb1077 was the main fake-token deployer responsible for 39 Unicode-impersonation contracts. We checked whether it has deployed new contracts since Feb 17.

Zero new deployments. 200 other transactions.

The existing 39 contracts are still being used to mint and transfer fake tokens to victims. The deployer address itself is active (last TX 2026-04-20 06:39 UTC), but it's doing operational transactions, not creation transactions. The fake-token inventory from late 2025 is sufficient to run the whole operation — no need to paint new decoys.

This matters because typical "contract creation detection" signals would miss this operator entirely during the period they're most active.

Updated Network Topology 

flowchart TD
    subgraph "Exchange / OTC layer (not co-conspirators)"
      TS[0x9f8c163c<br/>CEX hot wallet<br/>1.69M AVAX today]
      WHALE[0x3bce63c6<br/>OTC/hot wallet<br/>168.9K AVAX today]
    end

    MF[MASTER FUNDER<br/>0x54cdcbdb<br/>12,254 AVAX<br/>2,439+ lifetime recipients<br/>ACTIVE 2026-04-20]

    subgraph "Operator layer — rotating"
      OLD[Feb-era operators<br/>most retired]
      NEW[854 new recipients<br/>Feb 17 – Apr 20]
    end

    DEP1[Main deployer 0x4226dd74<br/>39 contracts, no new deploys]
    DEP2[Lisu deployer 0x64424853<br/>DORMANT]

    POISON[6,892+ poisoned addresses<br/>3 chains]

    ETHCOL[ETH collector 0xbca34ed5<br/>$5.97M USDT<br/>+$16.8M gross in 60 days]
    POLCOL[POL collector 0xa6380bfd<br/>$348K USDC + 511K POL<br/>$1.2M gross in 60 days]

    TS -->|CEX withdrawal| MF
    WHALE -->|CEX withdrawal| MF
    MF -->|AVAX seed| OLD
    MF -->|AVAX seed| NEW
    OLD -->|already retired| POISON
    NEW -->|currently active| POISON
    DEP1 -->|fake contracts| POISON
    DEP2 -->|contracts abandoned| POISON
    POISON -->|relay chains| ETHCOL
    POISON -->|relay chains| POLCOL
Enter fullscreen mode Exit fullscreen mode

What This Changes

For victims and potential victims:

The network exposing itself to public investigation did not cause it to shut down. If anything, it accelerated recruitment. That means every protective behavior we recommended in February still applies, with more urgency:

  • Never copy an address from your transaction history. Use your address book, or re-verify from the source.
  • Compare addresses character-by-character, not by first-4 / last-4.
  • Suspicious tokens arriving in your wallet are not a gift — they are a marker that you are already being targeted for the next step.
  • Before sending funds, screen the destination address. ChainAnalyzer does this for free at chain-analyzer.com. The MCP server lets AI agents do it automatically before signing.

For exchanges:

Two addresses — 0x9f8c163c and 0x3bce63c6 — have together sent funds to wallets that seeded thousands of poisoning operators. Our review strongly suggests these are exchange or OTC hot wallets. If they are yours, your withdrawal-side AML controls have a blind spot specific to address-poisoning actors. We would welcome a conversation.

For AML teams and regulators:

Address-based blacklists decay within 2-3 months for this attack class because of deliberate wallet rotation. Effective detection has to operate at the fund-flow and graph level, not at the static address level. ChainAnalyzer's detector suite is explicitly designed around this:

  • P2 ADDRESS_POISONING detector for Unicode impersonation signatures on token transfers
  • W9 BRIDGE_FUNDED / W10 PRIVACY_BRIDGE_FUNDED detectors for cross-chain laundering
  • Follow Mode for automatic BFS graph exploration of related addresses
  • Exchange DB with 60+ known CEX hot wallets (and growing) to correctly attribute funding sources

For Japan-market crypto operators:

The 176M yen of JPYC observed in this network in February — and the continued operator expansion since — continues to indicate that Japanese retail users are specifically in the crosshairs. ChainAnalyzer's JPYC AML coverage was built for exactly this. If your product uses JPYC for B2B settlement, creator payouts, or EC payment acceptance, pre-transfer screening is no longer optional.

Methodology Notes

All data in this article was pulled on 2026-04-20 between 06:20 and 06:45 UTC using:

  • Routescan ( https://api.routescan.io/v2/network/mainnet/evm/43114/etherscan/api ) — Avalanche C-Chain, free, keyless
  • Etherscan V2 ( https://api.etherscan.io/v2/api?chainid=1 for Ethereum and chainid=137 for Polygon ) — free API key

Query patterns:

  • Native balance: module=account&action=balance
  • ERC-20 balance: module=account&action=tokenbalance&contractaddress=<token>
  • Transaction list: module=account&action=txlist (10K TX limit per call per address, sort=desc)
  • Token transfer list: module=account&action=tokentx (10K TX limit per call)

Cutoff for "since Feb 17, 2026": Unix timestamp 1771200000 (2026-02-16 00:00 UTC).

Every balance and transaction count above is reproducible against public on-chain data.

Takeaways

  • The $5.3M network is now materially larger than it was when we published the February report. The investigation publicity did not deter it; it accelerated.
  • 854 new operator wallets have been funded by the single Master Funder in 60 days. The operator population rotates on a 2-3 month cycle.
  • The Ethereum collector processed $16.8M USDT from 1,450 senders during the interval; the Polygon collector processed $1.2M USDC from 1,100 senders. Real victims, real money, active every day.
  • Two addresses we previously labeled as "whale co-conspirators" are almost certainly exchange / OTC hot wallets. The laundering stack starts at a compliance gap inside those exchanges.
  • The fake-token deployer has not shipped new contracts in two months — the existing 39 contracts are sufficient inventory for the whole operation. Contract-creation-based detection misses this.
  • For retail Web3 users, the defense is pre-transfer address screening. For AI agents, the defense is automatic screening via the ChainAnalyzer MCP server at $0.008 per check.

We will follow up again in 2-3 months. In the meantime, every new operator the Master Funder seeds between now and then will be tagged and propagated to ScamDB and the ChainAnalyzer detector suite automatically via Follow Mode.

Appendix A — All Key Addresses

Avalanche

Ethereum

Polygon

Appendix B — Try It Yourself

Any of the above addresses can be scanned free at chain-analyzer.com. Or programmatically via:

# REST API (subscription)
curl -H "X-API-Key: tfk_..." \
  "https://chain-analyzer.com/api/v1/public/scan?address=0x54cdcbdba40e294e8832230db706cee76e1f20f3&chain=avalanche"

# x402 USDC micropayment (no account needed, $0.008 / call)
curl "https://chain-analyzer.com/x402/api/address/0x54cdcbdba40e294e8832230db706cee76e1f20f3/risk-score"

# MCP (from Claude Desktop, Claude Code, ChatGPT, Gemini, Cursor…)
# After configuring chainanalyzer-mcp, just ask your AI: "scan 0x54cdcbdb..."
Enter fullscreen mode Exit fullscreen mode

If you find new operator wallets the Master Funder has seeded, please report them to ScamDB.

Investigation by refinancier, inc. All data from public on-chain sources. ChainAnalyzer is a multi-chain AML and security intelligence platform. Contact us for enterprise or law-enforcement engagement.

Top comments (0)