Exclusive: Money stolen from BlueBenx ended up in Binance wallet

The exchange Binance is the destination of part of the cryptocurrencies that the Brazilian company BlueBenx claims were stolen when falling into an alleged scam that led it to block withdrawals from its customers since last Thursday (11).

According to the calculation of Bitcoin Portalthe exchange received the equivalent of BRL 1.1 million worth of USDT stablecoin tokens that BlueBenx allegedly lost when falling into a false listing scheme.

BlueBenx changed the version it had been telling so far, that it had suffered an “extremely aggressive hacker attack”, responsible for evaporating the money of customers of its products that promised to pay returns of up to 66.2% per year.

Now, the company says it was the victim of a scammer who disguised himself as an employee of another company, brokerage Bitrue.

As per on-chain tracking performed by Bitcoin Portal, most of the money obtained by the alleged scammer in the scheme was sent to Binance. It is estimated that at least 216,640 USDT (about R$1.1 million) were sent by him to the brokerage, from multiple addresses.

In this scenario, Binance may be being used as a money laundering channel, something that has already been seen at other times in the past. A Reuters estimate points out that Binance was used to launder BRL 12 billion in cryptocurrencies resulting from hacks, investment fraud and other crimes, between 2017 and 2021.

In an email to customers sent on Monday (15), BlueBenx states that the scammer made “thousands of liquidity withdrawal transactions in the pools where we had our token listed on DeFi, leading to a drain in minutes of all available liquidity, including USDT reserve funds that were paired with our token.”

Sought by the report, Binance declined to comment on the BlueBenx case, limiting itself to saying that it “acts in full collaboration with local authorities, including in any investigations, to prevent malicious people from using the platform.”

“The exchange emphasizes that it has a world-renowned investigative team, made up of former international agents, which works in constant coordination with local authorities in the fight against cyber and financial crimes, including pre-emptive tracking of suspicious accounts and fraudulent activity.” added.

Understand the alleged blow suffered by BlueBenx

BlueBenx says that in July it was negotiating the listing of its BENX token on exchange Bitrue, the 25th largest exchange in the world, with a man named Liu Kwai Wah. The executive allegedly claimed to be Bitrue’s business partnerships manager and reportedly struck a deal to list the BlueBenx token on the exchange for a payment of 200,000 USDT and 25 million BENX.

Trusting Liu Kwai Wah’s identity and without verifying that he actually worked at Bitrue, BlueBenx made the payments requested by him. On July 22, he sent 200,000 USDT to Wah’s address. Three days later, he sent the 25 million BENX to the same destination address.

With full payment in hand on July 25, the alleged scammer would have dumped the 25 million BENX into liquidity pools, a move that made the BlueBenx token go to zero and lose virtually all of its market value.

When that happened, BlueBenx says it caught on to the scam. A BO ​​was made by the company’s lawyer, Assuramaya Kuthumi. He narrates what would have happened: “After payment, we verified that the values ​​and the Benx were not available, in the case of a fraud. We notified the company and it informed that Mr. Liu is not a representative of the company.”

The report managed to locate Liu Kwai Wah on LinkedIn, and questioned Bitrue’s official profile on Twitter if he was in fact an employee of the brokerage. Quickly, the broker was able to verify the identity of the executive and respond to the request for information:

“We verified and informed that the person is not from Bitrue. We suggest that you be more careful in the future. If someone sends you a message claiming to be a representative of Bitrue, they are a SCAMMER and are trying to steal your funds or information. We cannot emphasize enough that Bitrue will NEVER ask you to transfer funds to resolve an issue.”

BlueBenx’s stolen money trail

Since last week, the Bitcoin Portal asked BlueBenx and his lawyer to send the addresses of the wallets involved in the scam for verification, but they refused to send the requested data.

Despite this, the report reached the address of the alleged scammer when analyzing BENX’s movements on the BNB Chain blockchain on July 25.

That day, the exact amount of 25 million BENX went from wallet 0x7…0c5b, which probably belongs to BlueBenx, to wallet 0xd…b3be of the alleged scammer, around 5:16 pm.

It is possible to consider that this is the transaction referring to the scam for two main reasons. First, the value matches exactly what BlueBenx reports. Furthermore, shortly after the funds arrived in the destination wallet, the price of BENX collapsed, reflecting the token settlements in liquidity pools.

It is also possible to point out that the origin address of the amount belongs to BlueBenx because this same address received 95 million BENX from another wallet supplied by the BENX mother address (BlueBenx Deployer), which represents the cryptocurrency’s smart contract.

With this information in hand, it was possible to find the transaction on July 22, in which BlueBenx sends 200 thousand USDT, from the address 0x7…3346, to the same wallet 0xd…b3be of the scammer, which coincides with the date and the values ​​informed by the company in its BO.

BlueBenx scammer wallets

In addition to the US$ 200,000 that the scammer received directly from BlueBenx, his wallet also received values, in USDT, from five other addresses, which possibly represent the profit he obtained from the liquidation of BENX tokens.

By noticing the movements of BENX at this scammer’s main address through the BitQuery platform, it was possible to see that 24.9 million BENX passed through the liquidity pools of DODO (image below), one of the largest decentralized exchanges (DEX) of BNB Chain. When these cryptocurrencies were settled in the pool by USDT, the money was transferred back to the main wallet.

The source of the second largest amount of USDT sent to the alleged scammer came from the address 0xc…f7b0, which represents the smart contract of the BENX liquidity pool in DODO. That contract was responsible for sending you 38,865 USDT in 42 different transactions.

You can confirm that the source address is from the BENX liquidity pool because it is listed in the project documentation, now deleted from the BlueBenx website.

The reporter was able to access the documentation based on a saved copy of the website, now available for consultation on the Web Archive. In addition to the documentation, BlueBenx has also taken down the token whitepaper — also saved on the Web Archive.

Two other addresses linked to BENX pools on DODO sent another 27,091 USDT to the scammer’s wallet in 62 transactions.

DEX BabySwap (0x5…7046) was also used by the scammer to liquidate a small portion of BENX. About 6,655 USDT was withdrawn from that pool through 42 transactions.

The identification of these source addresses confirms that these USDT amounts that the scammer received in addition to the initial 200,000 USDT represent settlement in the BENX token in liquidity pools.

In this way, it is possible to estimate that he managed to obtain about $72,600 in USDT by liquidating a significant part of the tokens he initially received. The value is small, since the very movement of eviction of tokens by the attacker caused the price of the asset to depreciate instantly, bringing down his profit with the operation as a reflection.

By starting the liquidations in the late afternoon of July 25th, the scammer caused the price of BENX to go into free fall. If at 4pm that day the token was worth $0.21, its price was no more than $0.0001 at 9pm — a 99.9% drop in a matter of hours, according to CoinMarketCap.

BlueBenx Money Sent to Binance

When analyzing the money trail on the blockchain using the BitQuery tool, we see that the final destination of the money was Binance’s Hot Wallet 6 (0x8…d4e3).

The estimate is that 216,640 USDT (R$ 1.1 million) from the scammer has been sent to the broker, as can be seen in the image above in the gray block in the upper right corner.

This data is a clipping of movements that the report was able to track, but may not represent the totality of deviated values.

This is because the amount moved by the alleged scammer and tracked on the blockchain is much lower than the alleged losses reported by BlueBenx.

When the company stopped the withdrawals, his lawyer revealed to some investors who went to visit him at the BlueBenx headquarters last Thursday, that the loss identified at that first moment was about R$ 160 million.

This amount was 2,500 company customers who invested in BlueBenx Finance products (Spread, Smart DeFi and Savings), promoted by the company as capable of delivering high returns.

BlueBenx promised, for example, to pay a yield of up to 66.2% a year on a product called “DeFi 360”, in which the customer had to keep their funds locked up for 12 months.

Which cryptocurrencies to invest in to always be able to give positive returns to customers, even in periods when the entire crypto market was down, was something BlueBenx never made clear.

In the whitepaper that the company recently took down, the earnings promises are even higher. The document says that BlueBenx Finance clients could receive up to 80% (APY) of compounded interest annually.

Suspected BlueBenx scam

The withdrawal block made by BlueBenx last week took large proportions due to the platform’s lack of transparency about the incident, combined with the disappearance of the company’s leaders, such as its CEO Roberto Cardassi, and the mass layoffs of employees. This set of factors raised many suspicions in customers that the company may be behind the scam – something she vehemently denies.

A group of lawyers who also had their investments frozen by the company, called the “Investor Lawyers Commission”, went earlier this week to the office of Assuramaya, the lawyer representing BlueBenx, to ask for more clarification on the incident.

In a note shared with other investors, the lawyers gave their understanding of the case:

“There are several inconsistencies and points of disagreement in the allegations presented about how the hack took place, in the security procedures, as well as in the alleged measures they would have taken.”

Among the criticisms of the legal group is the strangeness with how BlueBenx handed over such a large amount of cryptocurrency to an alleged Bitrue executive, without even verifying his identity.

“As a company of this size, with the experience of its partners and, it should be noted, with all the security systems and checks, it carries out a large transfer without the necessary certifications and/or validations, especially considering that all operations were carried out personally by the partner Roberto Cardassi, of undeniable expertise given his history”, he points out.

Finally, the lawyers’ commission states that it saw “several contradictions in the lawyer’s speech, in bodily expressions, in the chronology of the alleged alleged facts and, also, in the measures adopted, which leads us to conclude that there is no verisimilitude in the company’s allegations. ”.

In Telegram groups, BlueBenx customers have been organizing since last week to file lawsuits against the company and try to recover the money locked up on the platform.

News Source