Author: BlockSec

Translation: Deep Tide TechFlow

Deep Tide Introduction: Blockchain security company BlockSec has conducted a comprehensive on-chain fund tracking for a Ponzi scheme platform disguised as a Hong Kong health technology company named VerilyHK. Within 16 months, the platform has processed approximately 1.6 billion USDT through the TRON network, utilizing 8 generations of receiving hot wallets, 79 intermediate addresses, and 3 generations of paired withdrawal channels, forming an industrial-grade fund routing infrastructure that ultimately consolidated into the same centralized exchange. The fund links also involve the Cambodia Huione Group, which has been sanctioned by FinCEN.

Key Findings: A platform disguised as a Hong Kong health technology group has circulated approximately 1.6 billion USDT through the TRON network in 16 months. This is a ceiling figure that includes potential internal fund circulation. On-chain analysis reveals an industrialized fund routing infrastructure: 8 generations of receiving hot wallets, 79 intermediate transitional addresses, 3 generations of paired withdrawal channels (including second-level switching), and a shared exchange outlet fed by tens of thousands of suspected recharge addresses. This article fully restores the entire chain topology from victims’ recharges to exchange withdrawals.

Background

VerilyHK presents itself as a legitimate Hong Kong health technology investment platform. The name itself raises suspicions of riding the trend: one is Verily Life Sciences, a precision health company under Alphabet, focusing on AI-driven healthcare and medical devices; the other is an environmental engineering company listed on the A-share market (stock code 300190), which has no relation to health technology or cryptocurrency. The website copy of VerilyHK claims proficiency in AI health, big data analysis, and medical devices, almost directly mirroring the public positioning of the real Verily. Its marketing language has also continuously evolved—from immune cell therapy, portable ECG devices, to AI health, health credit systems, data asset tokenization, and even claiming to have obtained licenses from the Hong Kong Securities and Futures Commission for Class 4 (Securities Consulting) and Class 9 (Asset Management).

Caption: A snapshot of verilyhk.com on the Wayback Machine, showing the platform's "About Us" page, claiming to offer health management solutions through AI, big data, and medical devices

In April 2025, the government of Heshan District issued a risk warning, clearly stating that the project exhibited "obvious characteristics of pyramid schemes and illegal fundraising," and relied on "overseas cryptocurrency transactions." By the end of April 2025, multiple anti-fraud monitoring platforms issued a crash warning. The platform ceased operations in February 2026.

Based on an approximately 1.6 billion dollar on-chain transaction volume, VerilyHK's scale far exceeds other cryptocurrency Ponzi schemes that have been prosecuted by regulatory authorities, including Forsage (300 million dollars, SEC lawsuit) and NovaTech (650 million dollars, SEC litigation). But until now, there has been no public on-chain analysis dissecting this cryptocurrency criminal operation.

This article does not rely on the above public warnings to draw conclusions. All subsequent content is based on on-chain data analysis of TRON USDT stablecoin fund flows related to the platform, progressively restoring the true nature of its internal infrastructure.

Starting Point

The investigation began with two TRON addresses provided by a victim: one recharge address and one withdrawal address. Tracking the connection between the two revealed not just a single path but a comprehensive multi-layer, multi-generational fund routing network.

Receiving Layer: 8 Generations of Hot Wallets Rotated Over 16 Months

VerilyHK did not rely on fixed receiving addresses. It used at least 15 addresses, organized into 8 different generations, rotating in a strict chronological order from October 2024 to February 2026 over 16 months.

These addresses did not run in parallel. They formed a relay chain: the end date of each generation precisely coincided with the start date of the next generation. This precise daily handover pattern occurred repeatedly across all 8 switches. Besides the handover time, adjacent generations also shared a large portion of the recharge address network, with an overlap rate exceeding 65%, confirming that they were operated by the same entity, just rotating new wallets.

The transaction volume processed by each generation increased dramatically over time. Early generations processed tens of millions of dollars monthly, but by the sixth generation, the transaction volume reached hundreds of millions. The final generation processed over 900 million dollars in less than 4 months. The cumulative transaction volume across all generations is approximately 1.6 billion dollars.

However, these figures should be regarded as ceiling reference values rather than net user recharge amounts. They come from a comprehensive aggregation of the graph, encompassing potential internal transfers. In a Ponzi structure, the "profits" paid to users may be reinvested, leading to the same funds being counted multiple times in the receiving layer. The subsequent surge in transaction volume likely reflects both real growth and increasing internal fund circulation.

Caption: Receiving layer timeline, showing the transaction volume of 8 generations of hot wallets rising from 3 million dollars to 906 million dollars

Intermediate Layer: 79 Intermediate Addresses Aggregated to Known Hubs

The funds leaving the receiving hot wallets did not flow directly to the withdrawal layer. They passed through 79 intermediate transitional addresses, each with very few inbound sources, multiple outbound targets, and nearly zero net retention. Over 80% of the flowing funds ultimately aggregated to a few identified withdrawal channel hubs.

Caption: Intermediate layer fund flow: from receiving hot wallets through intermediate addresses aggregating to identified withdrawal hubs

The majority of these funds moved to the withdrawal layer but one node stood out significantly. A cross-generational hub received funds from 75% of the intermediate addresses, spanning 6 of the 8 receiving generations, totaling approximately 240 million dollars. However, its downstream structure differed markedly from the identified withdrawal channels.

On-chain tracking revealed direct funding connections between this hub and multiple wallet addresses of the Huione Group. Huione is a Cambodian financial group that has been banned from entering the US financial system by FinCEN. On the inbound side, at least 4 Huione Group hot wallets transferred approximately 4.6 million dollars to this hub through a string of intermediate addresses (at least 5 hops). On the outbound side, the hub directly transferred funds to at least 2 recharge addresses of the Huione Group, amounting to 4,200 dollars and 1.5 million dollars respectively.

The flow of funds between this cross-generational hub and Huione suggests that VerilyHK's fund routing infrastructure may have utilized Huione's network as a money laundering channel. This aligns with FinCEN's determination that Huione is a "key node for laundering virtual currency investment fraud."

Caption: Flow of funds between the cross-generational hub and the sanctioned Huione Group hot wallets and recharge addresses

Withdrawal Layer: From Paired Channels to Shared Exchange Outlets

The generational structure on the withdrawal side mirrored that of the receiving side. A total of 3 generations of withdrawal addresses were identified, with a total withdrawal volume of approximately 1.1 billion dollars. Similar to the receiving layer, the transition between generations was precise to the second: on-chain timestamps show that the second generation's channel stop and the third generation's channel start occurred simultaneously. This pattern is difficult to explain by other causes and can only be attributed to a switching scheme predetermined by the same operational team.

Within each generation, the structure followed a consistent pattern: dedicated bridging addresses first aggregated intermediate layer funds, then forwarded them to a pair of parallel withdrawal channels—a main line and a secondary line. The initiation times of each pair of channels differed by a few minutes, while the stop times differed by a few seconds, but the processing volume of one line consistently outweighed the other. This "bridging → paired withdrawal" structure recurred across the three generations, proving that it was a designed infrastructure, not a temporarily created wallet.

Caption: Withdrawal layer showcasing 3 generations of paired channels, each with fundamentally independent downstream networks, ultimately aggregating to shared exchange outlets

A closer look at the third generation of paired channels reveals greater separation. The processing volume of one channel is approximately 2.6 times that of the other. Comparing their top 100 large downstream trading counterparts, the overlap rate is zero. Although supplied by the same upstream sources and operating simultaneously, they maintained completely independent downstream distribution networks.

The true sharing between the two lines is the final outlet. In their minor downstream transfers, both lines exhibit the same pattern: funds flow through tens of thousands of one-time addresses (each with almost one inbound and one outbound transaction), ultimately converging into the same main centralized exchange (CEX) hot wallet. However, even here, the intermediaries of the two recharge address groups are almost entirely independent—of about 60,000 addresses, only 9 are shared, much like two separate pipelines feeding into the same exchange. On-chain data confirms that the funds entered the exchange's processing pipeline but does not identify the specific user accounts behind these recharges.

Panorama: Four-Layer Funnel

Summarizing all findings, VerilyHK's on-chain fund routing structure forms a clear four-stage funnel: highly decentralized at the front end, highly concentrated in the middle, again decentralized at the withdrawal layer, and ultimately exporting through the exchange.

Caption: VerilyHK four-layer funnel structure—recharge layer, receiving layer, intermediate layer, bridging layer, dual-line withdrawal, exchange outlet

The most striking aspect is the enormous transaction volume (approximately 1.6 billion dollars of cumulative on-chain fund flow) and the sophistication of the underlying infrastructure: precise day-to-day generational handovers, paired withdrawal channels with fundamentally independent downstream networks, and tens of thousands of one-time addresses converging into shared exchange outlets.

For the exchange compliance teams, the structural features recorded in this article constitute actionable detection heuristic indicators, particularly the pattern of tens of thousands of one-time recharge addresses converging into the same hot wallet. For investigators and regulatory authorities, this layered structure illustrates why tracking illegal funds requires moving beyond individual transactions to reconstruct a complete network topology.

All on-chain analysis in this article was conducted using the MetaSleuth on-chain analysis tool, which is part of BlockSec's anti-money laundering and compliance suite. The analysis follows the highest value path methodology, and all conclusions are annotated with evidence strength and applicable boundaries.