Fake Hong Kong Health-Tech Company Scams $1.6 Billion in USDT; On-Chain Tracking Reveals Full Extent of the Fraud
TechFlow Selected TechFlow Selected
Fake Hong Kong Health-Tech Company Scams $1.6 Billion in USDT; On-Chain Tracking Reveals Full Extent of the Fraud
A platform masquerading as a Hong Kong health tech group circulated approximately $1.6 billion in USDT via the TRON network over 16 months.
Navigating Web3 tides with focused insightsAuthor: BlockSec
Translation & Compilation: TechFlow
TechFlow Introduction: Blockchain security firm BlockSec conducted a comprehensive on-chain fund tracing investigation of VerilyHK—a Ponzi platform masquerading as a Hong Kong-based health technology company. Over 16 months, the platform processed approximately $1.6 billion in USDT via the TRON network, deploying an industrial-grade fund routing infrastructure comprising eight generations of hot wallets for receiving funds, 79 intermediate transit addresses, and three generations of paired withdrawal channels—ultimately funneling all proceeds into a single centralized exchange. The fund flow also involved Huione Group, a Cambodian financial entity sanctioned by the U.S. Financial Crimes Enforcement Network (FinCEN).
Key Findings: A platform posing as a Hong Kong health technology group moved roughly $1.6 billion in USDT across the TRON network over 16 months. This figure represents an upper-bound estimate that may include internal fund recycling. On-chain analysis uncovered an industrialized fund routing infrastructure: eight generations of hot wallets for receiving funds; 79 intermediate transit addresses; three generations of paired withdrawal channels (with sub-second switching capability); and a shared exchange exit point fed by tens of thousands of suspected deposit addresses. This article fully reconstructs the end-to-end topology—from victim deposits to exchange withdrawals.
Background
VerilyHK publicly presented itself as a legitimate Hong Kong health technology investment platform. The name itself appears opportunistic: one reference is Verily Life Sciences, Alphabet’s precision health subsidiary focused on AI-driven healthcare and medical devices; the other is a listed A-share environmental engineering company (stock code: 300190), wholly unrelated to health technology or cryptocurrency. VerilyHK’s website copy claimed expertise in AI health, big data analytics, and medical devices—almost verbatim from the official Verily positioning. Its marketing messaging also evolved continuously—from immune cell therapy and portable ECG devices to AI health, health credit systems, and data asset tokenization—even falsely claiming to hold Hong Kong Securities and Futures Commission (SFC) Type 4 (securities advisory) and Type 9 (asset management) licenses.
Caption: Wayback Machine snapshot of verilyhk.com showing the platform’s “About Us” page, which claims to deliver health management solutions powered by AI, big data, and medical devices.
In April 2025, the Heishan District Government issued a risk alert explicitly identifying the project as exhibiting “clear characteristics of pyramid schemes and illegal fundraising,” relying heavily on “offshore cryptocurrency transactions.” By late April 2025, multiple anti-fraud monitoring platforms issued collapse warnings. The platform ceased operations in February 2026.
With approximately $1.6 billion in on-chain transaction volume, VerilyHK dwarfs other crypto Ponzi schemes previously prosecuted by regulators—including Forsage ($300 million, SEC lawsuit) and NovaTech ($650 million, SEC litigation). Yet, until now, no public on-chain analysis has dissected this crypto crime operation.
This article does not rely on the above public alerts to draw conclusions. All findings below derive exclusively from on-chain analysis of TRON-based USDT stablecoin flows associated with the platform, progressively reconstructing the true nature of its internal infrastructure.
Starting Point
The investigation began with two TRON addresses provided by a victim: one for deposits and one for withdrawals. Tracing the relationship between them revealed not just a single path—but an entire multi-layered, multi-generational fund routing network.
Fund Receiving Layer: Eight Generations of Rotating Hot Wallets Over 16 Months
VerilyHK did not rely on fixed receiving addresses. It deployed at least 15 addresses, organized into eight distinct generations, rotated sequentially over the 16-month period from October 2024 to February 2026.
These addresses were not operated in parallel. Instead, they formed a relay chain: the end date of each generation precisely matched the start date of the next. This day-precise handover pattern recurred across all eight transitions. Beyond timing, adjacent generations shared the majority of their deposit address networks—with over 65% overlap—confirming unified operational control, merely rotating to new wallets.
Transaction volume per generation surged dramatically over time. Early generations handled tens of millions of dollars monthly, but by Generation Six, volumes reached hundreds of millions. The final generation processed over $900 million in under four months. Cumulative volume across all generations totaled approximately $1.6 billion.
However, these figures should be treated as upper-bound references—not net user deposits. They derive from full-graph aggregation and may include internal transfers. In Ponzi structures, “returns” paid to users may be reinvested, causing the same funds to be counted multiple times at the receiving layer. The explosive growth in later-generation volumes likely reflects both genuine expansion and intensifying internal fund recycling.
Caption: Timeline of the receiving layer, illustrating how transaction volume climbed from $3 million to $906 million across eight generations.
Intermediate Layer: 79 Transit Addresses Converging on Known Hubs
Funds leaving the receiving hot wallets did not flow directly to the withdrawal layer. Instead, they passed through 79 intermediate transit addresses—each characterized by minimal inflow sources, numerous outflow destinations, and near-zero net balance. Over 80% of all routed funds ultimately converged on a small number of identified withdrawal channel hubs.
Caption: Intermediate-layer fund flow: funds move from receiving hot wallets through transit addresses and converge on identified withdrawal hubs.
Most funds flowed toward the withdrawal layer—but one node stood out conspicuously. A cross-generational hub received funds from 75% of the intermediate addresses, spanning six of the eight receiving generations, accumulating approximately $240 million. Yet its downstream structure diverged markedly from known withdrawal channels.
On-chain tracing revealed direct fund flows between this hub and multiple wallet addresses belonging to Huione Group. Huione is a Cambodian financial group sanctioned by the U.S. FinCEN and prohibited from accessing the U.S. financial system. On the inflow side, at least four Huione Group hot wallets transferred approximately $4.6 million to this hub via chains of intermediate addresses (minimum five hops). On the outflow side, the hub directly sent funds to at least two Huione Group deposit addresses—$4,200 and $1.5 million respectively.
The fund flows between this cross-generational hub and Huione indicate VerilyHK’s fund routing infrastructure may have leveraged Huione’s network as a money laundering conduit. This aligns with FinCEN’s designation of Huione as a “key node in laundering proceeds from virtual currency investment scams.”
Caption: Fund flows between the cross-generational hub and sanctioned Huione Group hot wallets and deposit addresses.
Withdrawal Layer: From Paired Channels to Shared Exchange Exit
The withdrawal-side generational structure mirrored the receiving side exactly. Three generations of withdrawal addresses were identified, with total withdrawals amounting to approximately $1.1 billion. As with the receiving layer, generational handovers occurred with second-level precision: on-chain timestamps show Generation Two’s cessation and Generation Three’s activation occurring simultaneously. This pattern is difficult to attribute to anything other than a preconfigured switching plan executed by the same operational team.
Within each generation, architecture followed a consistent pattern: dedicated bridging addresses first aggregated funds from the intermediate layer, then forwarded them to a pair of parallel withdrawal channels—one primary, one secondary. Each pair launched minutes apart and ceased operations seconds apart—but one consistently processed significantly more volume than the other. This “bridging → paired withdrawal” structure recurred across all three generations—demonstrating deliberate infrastructure design rather than ad hoc wallet creation.
Caption: Withdrawal layer illustrating three generations of paired channels, each maintaining largely independent downstream networks before converging at a shared exchange exit.
A closer look at Generation Three’s paired channels reveals the extent of this separation. One channel processed roughly 2.6 times more volume than the other. Comparing the top 100 large-value downstream counterparties for each channel yields a zero percent overlap. Though fed by identical upstream sources and operating concurrently, they maintained entirely independent downstream distribution networks.
What the two channels truly shared was the final exit point. In their small-value downstream transfers, both exhibited identical patterns: funds flowed through tens of thousands of one-time-use addresses (each with nearly one inbound and one outbound transaction), ultimately converging into the hot wallet of a single major centralized exchange (CEX). Even here, the sets of intermediary deposit addresses remained almost entirely disjoint—only nine of ~60,000 addresses overlapped—like two independent pipes feeding into the same exchange. On-chain data confirms funds entered the exchange’s processing pipeline, but cannot identify the specific user accounts behind those deposits.
Full Picture: Four-Stage Funnel
Aggregating all findings, VerilyHK’s on-chain fund routing architecture forms a clear four-stage funnel: highly decentralized at the front end, highly concentrated in the middle, decentralized again at the withdrawal layer, and finally consolidated at the exchange exit.
Caption: VerilyHK’s four-layer funnel architecture—deposit layer, receiving layer, intermediate layer, bridging layer, dual-track withdrawal, exchange exit.
Most striking is the sheer scale of transaction volume (approximately $1.6 billion in on-chain fund flow) juxtaposed against the sophistication of the underlying infrastructure: day-precise generational handovers; paired withdrawal channels with largely independent downstream networks; and tens of thousands of one-time addresses converging on a shared exchange exit.
For exchange compliance teams, the structural features documented here constitute actionable detection heuristics—especially the pattern of tens of thousands of one-time deposit addresses converging on a single hot wallet. For investigators and regulators, this layered architecture underscores why tracking illicit funds requires moving beyond individual transactions to reconstructing the full network topology.
All on-chain analysis in this article was conducted using MetaSleuth, an on-chain analysis tool developed by BlockSec as part of its anti-money laundering (AML) and compliance suite. Analyses followed the Highest-Value Path methodology, and all conclusions are annotated with evidence strength and applicability boundaries.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@BlockSecTeam
