
True or False: Examining the "Ransom" Address of the Northern Alliance in Myanmar from an On-Chain Perspective
TechFlow Selected TechFlow Selected

True or False: Examining the "Ransom" Address of the Northern Alliance in Myanmar from an On-Chain Perspective
This article conducts an in-depth analysis of publicly disclosed addresses in terms of their fund inflow and outflow patterns, sources of funds risk, and activities of associated addresses, and discloses the related analytical findings.
Authors: SlowMist, Bitrace Team
Background
On January 16, 2024, a blogger claimed on Chinese social media platforms that the Myanmar-based allied forces had allegedly demanded high-value cryptocurrency payments from Chinese telecom fraud operators stranded in Myanmar. The post included what was purported to be the crypto address used for receiving these funds. This claim has since spread widely across online networks.
This report presents a joint blockchain analysis by Bitrace and MistTrack of the disclosed cryptocurrency address, examining patterns in fund inflows and outflows, risk levels associated with funding sources, and related address activities, aiming to disclose findings based on available on-chain data.
Address Behavior Analysis

(https://mp.weixin.qq.com/s/WDWM22vw68-NsVr0_1jHfA)
The image above shows information from the original post. Based on this, researchers conducted a USDT exchange rate analysis on the disclosed receiving address TKFsCN, attempting to infer potential settlement units through specific transaction amounts.

Historical transaction records show that many individual USDT transfers received by this address are not rounded to tens or hundreds—such as 71,417 or 42,857—which commonly occurs when transactions are settled in non-USD currencies. After testing conversions using major fiat currencies against USDT, researchers found these transactions likely use an exchange rate around 1 USD : 7–7.2 CNY. Furthermore, transferred amounts cluster around RMB 500,000, 1,000,000, and 1,500,000, suggesting settlements were made in whole RMB units.

After filtering out transactions of 100 USDT or less, statistical analysis revealed that out of 307 total incoming USDT transactions to TKFsCN, 193 involved amounts corresponding to standard RMB-to-USD conversion values. These accounted for 62.86% of transaction count and 45.29% of total value.
This indicates that over half of the transactions received by this address were settled in RMB, with 500,000 RMB equivalents being predominant. The payers sending USDT are likely Chinese nationals.
Funding Source Analysis
The original article stated: “After taking control of Laukkaing, they began rounding up (note: telecom fraud workers) Chinese people everywhere—asking whether they would voluntarily pay for protection. Those who paid could leave; those who refused would be handed over to China.” If true, we should observe numerous new counterparties transacting with TKFsCN, with funds originating partially from illicit sources such as money laundering, fraud, and other gray-market activities.

Data shows that between October 22, 2023, and January 2, 2024, TKFsCN received USDT transfers from 182 direct counterparties. Among them, 117 addresses exhibited a pattern of two consecutive transactions—one small amount followed by a large one—a typical behavior used to test the validity of a receiving address before making a full transfer. This suggests that at least 62.29% of the counterparties may have been first-time senders, not regular business partners of TKFsCN.

Further risk assessment of the funding sources reveals strong links between the senders and illicit activities such as black/gray market operations, online gambling, fraud, money laundering, and high-risk payments. Of the 182 direct senders, as many as 42% were linked to risky activities, collectively transferring US$33,523,148 worth of USDT to TKFsCN.

(Image source: MistTrack & BitracePro)
Notably, among these high-risk addresses, investigators identified seven directly tied to known criminal cases—including two money laundering cases, one fraud case, one online gambling case, and one phone scam case—with suspects located in northern Myanmar or Cambodia.
This implies that the counterparties sending funds to TKFsCN are not only involved in widespread risky crypto activities but also closely connected to criminal elements in Southeast Asia.
Another anomaly: investigators also found a sender address linked to a telecom fraud-related money laundering operation, indicating potential red flags even in upstream fund tracing. This issue will be discussed further in the next section, "Related Address Analysis," without disclosing sensitive details.
Related Address Analysis
Cluster analysis of the TKFsCN address suggests it is potentially controlled by the same entity as nearly 100 other addresses. Some of these exhibit similar transaction behaviors and reveal additional insights about the recipient. Take TKKj8G as an example:
-
TKKj8G directly received over 4.6 million USDT in six transactions from TKFsCN, acting as one of the aggregation points in the downstream fund flow;
-
TKKj8G is one of the core receiving addresses—out of 60 incoming transactions exceeding 100 USDT, 50 showed the same small-test transaction pattern seen in TKFsCN;
-
TKKj8G became active as early as August 18, 2023, significantly earlier than other related addresses, and during that time engaged in transactions with Huiwang Guarantee—receiving 160,000 USDT from a Huiwang Guarantee address, which appears consistent with a merchant reclaiming their deposit from the escrow service.

These findings suggest that the so-called "Finance Department address" mentioned in the original post may not actually exist. Instead, addresses like TKFsCN and TKKj8G likely belong to a digital currency exchange operator based in northern Myanmar or Cambodia, collecting funds on behalf of others for specific reasons.

Anomalous Transactions
In summary, investigators can reconstruct a typical payer profile: individuals working illegally in Southeast Asia, compelled for some reason to send approximately 500,000 RMB worth of USDT to a designated collection address. As first-time users, they conduct a small test transaction prior to the main transfer to confirm address accuracy. The cryptocurrency used either originates from prior illegal earnings or was purchased from other illicit entities.
However, not all senders fit this pattern. Investigators also identified several addresses that partially or fully deviate from these characteristics. For instance, address TYU5acSGRwsYJfBhdpQc3broSpfsjs8QFF—one of the seven previously mentioned directly involved addresses—transferred an amount equivalent to 1.36 million RMB under the same exchange rate. While still a round number, this amount notably differs from others (which were mostly multiples of 500,000 RMB).
The reason remains unclear. Given that this address also performed a small test transaction, a plausible hypothesis is that the payment represents three separate 500,000 RMB transfers combined into one, possibly receiving a 10% discount as an incentive.

Conclusion
This report provides an in-depth analysis of the disclosed address regarding transaction patterns, funding source risks, and associated address activities. Key findings include:
-
Over half of the transactions received by the target address were settled in RMB, with dominant transfer amounts equivalent to 500,000, 1,000,000, and 1,500,000 RMB;
-
Counterparties sending funds to this address are closely linked to black/gray market activities, online gambling, fraud, money laundering, and high-risk payments;
-
The target address and its associated addresses had already shown signs of involvement in risky operations prior to the surge in such transactions. Cluster analysis suggests these addresses may belong to a merchant affiliated with Huiwang Guarantee;
-
Payers sending funds to the target address are closely tied to criminal actors in northern Myanmar or Cambodia.
In conclusion, certain claims in the article titled "Allied Forces’ Cryptocurrency Account Exposed: Extorting Hundreds of Millions in Crypto from Northerners" align with on-chain evidence. There is indeed substantial movement of USDT—denominated in whole RMB amounts—from Chinese telecom fraud operators in northern Myanmar or Cambodia to a cluster of addresses. However, these addresses are unlikely to belong to an official "Finance Department," as alleged, but rather appear to be operated by local digital currency exchange services, contradicting the original narrative.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










