$5.3M Address Poisoning Network: Two Months Later
In February 2026, I exposed a cross-chain address poisoning network moving $5.3M across Avalanche, Ethereum, and Polygon. Two months later, I returned to the same wallets. The network is still running — and it's bigger.
TL;DR
854 new operator wallets funded by the same Master Funder in the past 60 days
$16.8M USDT processed by the Ethereum collector from 1,450 unique senders
$1.2M USDC processed by the Polygon collector from 1,100 unique senders
Two addresses we previously labeled as "whale co-conspirators" are almost certainly exchange / OTC hot wallets — laundering starts at a CEX compliance gap, not a conspiracy
Wallet rotation theory confirmed: operator addresses turn over on a 2-3 month cycle, making static blacklists obsolete by design
The investigation publicity did not deter the network. It accelerated.
Recap — What We Found in February
In our February 2026 investigation, we traced:
264+ operator wallets distributing 50+ Unicode-impersonation fake token contracts (Cyrillic
UЅDT, Lisuꓴꓢꓓt, zero-width invisibles)6,892+ poisoned addresses across three chains
$5.3M total capital moved, including 176M yen of JPYC
A single Master Funder at
0x54cdcbdb…— 16,226 AVAX balance, 1,585 lifetime recipients, ~53% confirmed operatorsTwo laundering collectors on Ethereum ($2.67M USDT) and Polygon ($788K USDC)
A proven relay pattern: victim → look-alike → relay → collector, 34 minutes end-to-end
The question we left open: does this network dismantle itself after exposure, or does it keep running?
We came back two months later. Here's what we found.
Methodology
On 2026-04-20, we re-pulled on-chain state for every address flagged in the February report — using Routescan (Avalanche, keyless), Etherscan V2 (Ethereum and Polygon, free API key),
and ChainAnalyzer's Neo4j graph for cross-chain correlation.
Every number in this post is reproducible against public on-chain data as of 2026-04-20 06:45 UTC.
Headline Deltas
| Address | Role | Feb 17, 2026 | Apr 20, 2026 | Delta |
|---|---|---|---|---|
0x54cdcbdb… |
Master Funder | 16,226 AVAX | 12,254 AVAX | −3,972 AVAX disbursed |
0x54cdcbdb… |
Recipients | 1,585 (cumulative) | 2,439+ | +854 new destinations |
0xbca34ed5… |
ETH Collector | $2.67M USDT | $5.97M USDT | +$3.30M (+124%) |
0xa6380bfd… |
POL Collector | 249K POL + $788K USDC | 511K POL + $348K USDC | +262K POL, −$440K (laundered) |
0xa081aa46… |
POL mass-poison funder | $12.55 | 23,435 POL (~$24K) | +1,870× |
0x3bce63c6… |
"142K AVAX whale" | 141,904 AVAX | 168,901 AVAX | +27K AVAX |
0x9f8c163c… |
"Top source" | (5,077 AVAX traced) | 1,688,967 AVAX (~$42M) | full profile now visible |
0xb2de52d8… |
Primary operator | Active until 2026-02-15 | Dead since 2026-02-15 | ✅ rotated out |
0x03309000… |
Active operator | Active 2026-02-17 | Depleted on 3 chains, last TX 2026-04-15 | ✅ rotated out |
0x4226dd74… |
Main deployer (39 contracts) | 1.46 AVAX, active | Still active (2026-04-20 06:39) | Zero new deployments |
0x64424853… |
Lisu deployer | Active | Dormant since 2025-12-23 | Retired |
Three things happened in parallel: aggressive new operator recruitment, continued laundering of victim funds into collectors, and systematic retirement of old operator wallets exactly as
wallet-rotation theory predicted.
1. The Master Funder Keeps Recruiting
We pulled the most recent 10,000 transactions from 0x54cdcbdb…. After filtering to outflows since 2026-02-17:
1,119 outbound AVAX transfers
49,441 AVAX sent total (~$1.24M at $25/AVAX)
854 unique destination addresses — none of which received funds before 2026-02-17
To put that in scale: the February investigation covered 1,585 lifetime recipients. In the two months since, the Master Funder added another 854 recipients — an expansion of 54% of
the prior lifetime count, in 60 days.
Top 10 New Destinations (Since Feb 17)
| Destination | AVAX received | First TX | Last TX | TX count |
|---|---|---|---|---|
0x33a089cb… |
9,722 | 2026-03-02 | 2026-03-02 | 1 |
0xf57a1140… |
9,297 | 2026-03-13 | 2026-03-13 | 1 |
0x6f7e6fdf… |
7,622 | 2026-04-02 | 2026-04-02 | 1 |
0xd7b9b792… |
3,677 | 2026-03-10 | 2026-04-19 | 38 |
0x0808469a… |
1,794 | 2026-02-20 | 2026-03-10 | 13 |
0xeae12a48… |
1,389 | 2026-04-10 | 2026-04-10 | 2 |
0xe36d6080… |
1,061 | 2026-03-04 | 2026-04-02 | 3 |
0x6632f500… |
1,032 | 2026-02-24 | 2026-03-06 | 3 |
0x89b8678f… |
856 | 2026-04-03 | 2026-04-18 | 10 |
0x951aa58d… |
844 | 2026-02-17 | 2026-04-17 | 7 |
The single-TX recipients receiving 7,000–10,000 AVAX in one shot look like fresh operator-funding events. The multi-TX recipients (38 transactions over a month) are mid-tier active operators.
The investigation exposing this network didn't slow it down. If anything, Master Funder activity accelerated.
2. The "Top Source" Was Not a Co-Conspirator
In February we noted a funder at 0x9f8c163c… that had sent 5,077 AVAX to the Master Funder but which we hadn't fully traced. Two months of additional data make clear: this address is
almost certainly an exchange or OTC hot wallet, not part of the criminal network.
Evidence:
Current balance: 1,688,967 AVAX (~$42M)
First traceable activity: 2021-09-06 — pre-dates the entire poisoning operation by 4+ years
2.7M AVAX inflow + 2.4M AVAX outflow in the last ~10,000 transactions alone
Behavior pattern today: hundreds of zero-value
transfercalls per day, occasionalexecutecalls on a router, small payments to fresh addresses — classic CEX hot-wallet idle /
withdrawal fingerprintActive on Ethereum and Polygon too — cross-chain hot wallet footprint
The 5,077 AVAX it once sent to the Master Funder was, in all likelihood, a regular withdrawal from a centralized exchange. The operator walked up to a CEX counter, withdrew AVAX, and walked away.
That's not a conspiracy. That's a compliance gap at the exchange.
Similarly, 0x3bce63c6… ("142K AVAX whale") — balance 168,901 AVAX, active today (last TX 2026-04-20 06:40 UTC), same hot-wallet fingerprint. Its 40 AVAX contribution to the primary operator in February was likely another exchange withdrawal.
Conclusion: there is no whale co-conspirator. The laundering-side money originates at one or two major exchanges that have poor outbound AML controls. This is actionable — and probably
SAR-worthy if you're an agency.
3. The Collectors Are Busier Than Ever
Ethereum Collector 0xbca34ed5…
| Metric | Feb 17 | Apr 20 |
|---|---|---|
| USDT balance | $2,665,507 | $5,970,800 (+124%) |
| USDT received since Feb 17 | — | $16,865,450 from 1,450 unique senders (2,574 TXs) |
| USDT sent out since Feb 17 | — | $15,134,814 (5,693 TXs) |
| Last activity | — | 2026-04-20 06:38 UTC |
In two months, this address handled \(16.9M USDT inflow from 1,450 senders and \)15.1M outflow. Net +$1.73M. At this velocity, the collector processes more USDT in one week than its entire Feb 17 balance.
Polygon Collector 0xa6380bfd…
| Metric | Feb 17 | Apr 20 |
|---|---|---|
| USDC balance | $788,521 | $348,256 (−56%) |
| POL balance | 249,588 | 511,722 (+106%) |
| USDC received since Feb 17 | — | $1,201,642 from 1,100 unique senders (2,111 TXs) |
| USDC sent out since Feb 17 | — | $1,633,777 (3,399 TXs) |
| Last activity | — | 2026-04-20 06:40 UTC |
The USDC balance dropped because they're laundering it downstream, not because victim flow stopped. 1,100 unique senders in two months is up from 715 total in February. The relay pattern (victim → relay → collector within ~34 minutes) is still producing the majority of those inflows.
4. Wallet Rotation Was Real
In February we theorized that operator wallets are disposable. The data now confirms it:
Primary operator
0xb2de52d8…— last activity 2026-02-14, 3 days before we published. Dead ever since.Active operator
0x03309000…— was active on all three chains in February. Today: AVAX depleted (last TX 2026-04-15), ETH depleted (last TX 2026-03-04), POL near-zero (last TX
2026-02-25)Top operator
0x0808469a…— received another 1,794 AVAX late Feb to early March, then quiet. 80 AVAX remainsLisu deployer
0x64424853…— dormant since 2025-12-23
The 854 fresh destinations the Master Funder has been seeding since Feb 17 are exactly the replacements. The operator population turns over on a roughly 2-3 month cycle.
Implication for AML teams: address blacklists decay. A list of operator addresses from February is 30–50% stale by April. Detection has to operate at the fund-flow and behavioral
level, not the static-address level — which is exactly the design of ChainAnalyzer's Follow Mode and graph-clustering detectors.
5. The Mass-Poisoning Funder Paid Off
Perhaps the single most striking data point: the Polygon mass-poisoning funder at 0xa081aa46… spent just $12.55 to poison 6,874 addresses in January.
Today, that address holds 23,435 POL (~$24K). Active, last TX 2026-04-20 00:14 UTC.
From $12.55 to $24,000+ — a 1,870× return on capital in 3 months, before even counting any funds it has already moved downstream.
That's the entire economic argument for why this attack class is not going away without active defense.
6. The Deployer Hasn't Shipped New Contracts — It Doesn't Need To
0x4226dd7419b1431f512d82a2c9e5fa1597fb1077 was the main fake-token deployer responsible for 39 Unicode-impersonation contracts. We checked whether it has deployed new contracts since Feb 17.
Zero new deployments. 200 other transactions.
The existing 39 contracts are still being used to mint and transfer fake tokens. The deployer is operational but not creating — meaning typical "contract creation detection" signals miss
this operator entirely during the period it's most active.
What This Changes
For victims and potential victims
The network exposing itself to public investigation did not cause it to shut down. Every protective behavior we recommended in February still applies, with more urgency:
Never copy addresses from TX history
Compare character-by-character
Treat unsolicited tokens as a targeting signal
Screen destinations before sending
ChainAnalyzer does this free at chain-analyzer.com. The MCP server lets AI agents do it automatically before signing.
For exchanges
Two addresses — 0x9f8c163c… and 0x3bce63c6… — have together funded wallets seeding thousands of poisoning operators. Our review strongly suggests these are exchange or OTC hot wallets. If they are yours, your withdrawal-side AML controls have a blind spot specific to address-poisoning actors. We would welcome a conversation.
For AML teams and regulators
Address-based blacklists decay within 2–3 months for this attack class because of deliberate wallet rotation. Effective detection has to operate at the fund-flow and graph level.
ChainAnalyzer's detector suite is explicitly designed around this:
P2 ADDRESS_POISONING for Unicode impersonation signatures
W9 / W10 bridge detectors for cross-chain laundering
Follow Mode for automatic BFS graph exploration
Exchange DB with 60+ known CEX hot wallets
For Japan-market crypto operators
The 176M yen of JPYC observed in this network in February — and the continued operator expansion since — continues to indicate that Japanese retail users are specifically in the
crosshairs.
ChainAnalyzer's JPYC AML coverage was built for exactly this. If your product uses JPYC for B2B settlement, creator payouts, or EC payment
acceptance, pre-transfer screening is no longer optional.
Takeaways
The $5.3M network is now materially larger than when we published the February report. The investigation publicity did not deter it; it accelerated
854 new operator wallets funded by the single Master Funder in 60 days. Operator population rotates on a 2-3 month cycle
The Ethereum collector processed $16.8M USDT from 1,450 senders; the Polygon collector processed $1.2M USDC from 1,100 senders. Real victims, real money, active every day
Two "whale co-conspirators" are almost certainly exchange / OTC hot wallets. The laundering stack starts at a compliance gap inside those exchanges
The fake-token deployer has not shipped new contracts in two months. The existing 39 contracts suffice. Contract-creation-based detection misses this
For retail Web3, the defense is pre-transfer address screening. For AI agents, the defense is automatic screening via the ChainAnalyzer MCP server at $0.008 per check
We'll follow up again in 2-3 months. In the meantime, every new operator the Master Funder seeds between now and then will be tagged and propagated to ScamDB and the ChainAnalyzer detector suite automatically via Follow Mode.
Try It Yourself
Any of the addresses above can be scanned free at chain-analyzer.com. Or programmatically:
REST API → /docs/api
x402 pay-per-request → /docs/x402 ($0.008–$0.05 per call, no signup)
MCP server →
npx chainanalyzer-mcp(Claude Desktop / Claude Code / ChatGPT / Gemini compatible)
If you find new operator wallets the Master Funder has seeded, report them to ScamDB.
Originally published at chain-analyzer.com/news/address-poisoning-network-followup.
Prior investigation: The $5.3M Address Poisoning Network (February 2026).
ENS: chainanalyzer.eth · Engineering blog
