Fake Hong Kong health technology company swipes 1.6 billion USDT, on-chain tracking reveals the full scam.

Author: BlockSec

Compiled by: Deep Tide TechFlow

Deep Tide Guide: Blockchain security company BlockSec conducted a comprehensive on-chain fund tracking of VerilyHK, a Ponzi platform disguised as a Hong Kong health technology company. Over 16 months, the platform processed approximately $1.6 billion USDT cumulatively via the TRON network, using 8 generations of collection hot wallets, 79 intermediary addresses, and 3 generations of paired payout channels, building an industrial-grade fund routing infrastructure that ultimately flowed into the same centralized exchange. The fund flow also involved the Cambodia Huione group, which has been sanctioned by FinCEN.

Key Findings: A platform disguised as a Hong Kong health technology group processed approximately $1.6 billion USDT via the TRON network over 16 months. This is an upper-bound figure that includes potential internal fund recycling. On-chain analysis reveals an industrialized fund routing infrastructure: 8 generations of collection hot wallets, 79 intermediate transition addresses, 3 generations of paired payout channels (including second-level switching), and a shared exchange exit fed by tens of thousands of suspected deposit addresses. This article fully reconstructs the end-to-end topology from victim deposits to exchange withdrawals.

Background

VerilyHK presents itself externally as a lawful Hong Kong health technology investment platform. The name itself raises suspicions of riding on hype: one is Verily Life Sciences, Alphabet’s precision health company that focuses on AI-driven healthcare and medical devices; the other is an environmental engineering company listed on China’s A-shares (stock code 300190), with no connection to health technology or cryptocurrency. VerilyHK’s website copy claims expertise in AI health, big data analysis, and medical devices—almost a verbatim copy of Verily’s true public positioning. Its marketing pitches have also been changing continuously—from immune cell therapy and portable ECG devices, to AI health, a health credit system, data asset tokenization, and even claims to have obtained licenses from the Hong Kong Securities and Futures Commission for Type 4 (Securities Advisory) and Type 9 (Asset Management).

Figure caption: Snapshots of verilyhk.com on the Wayback Machine showing the platform’s “About Us” page, claiming health management solutions through AI, big data, and medical devices

In April 2025, the Hequshan District government issued a risk warning, explicitly stating that the project has “obvious characteristics of pyramid schemes and illegal fundraising,” and depends on “offshore cryptocurrency trading.” By late April 2025, multiple anti-fraud monitoring platforms issued collapse warnings. The platform stopped operations in February 2026.

Based on the on-chain transaction volume of about $1.6 billion, VerilyHK is far larger than other crypto Ponzi schemes that have been pursued by regulators, including Forsage ($300 million, SEC lawsuit) and NovaTech ($650 million, SEC lawsuit). But until now, no public on-chain analysis has dissected this crypto-crime operation.

This article does not draw conclusions based on the above public warnings. All content below is based on on-chain data analysis of the TRON USDT stablecoin fund flows related to the platform, progressively restoring the true nature of its internal infrastructure layer by layer.

Starting Point

The investigation began with two TRON addresses provided by a victim: one deposit address and one withdrawal address. Tracing the association between the two revealed not only a single path, but an entire multi-layer, multi-generation fund routing network.

Collection Layer: 8 Generations of Hot Wallets Rotating Over 16 Months

VerilyHK did not rely on fixed deposit addresses. It used at least 15 addresses, organized into 8 different generations, rotating in strict chronological order over 16 months from October 2024 to February 2026.

These addresses were not run in parallel. They formed a relay chain: each generation’s end date precisely matched the next generation’s start date. This day-level handover pattern recurred across all 8 switches. Besides the handover time, adjacent generations also shared most of the deposit address network, with an overlap rate exceeding 65%, confirming that they were operated by the same entity—only with the rotation to new wallets.

The transaction volume handled by each generation increased sharply over time. Early generations processed tens of millions of dollars per month, but by the sixth generation, the volume had reached the hundreds of millions. The final generation processed more than $900 million in less than 4 months. The cumulative transaction volume across all generations was about $1.6 billion.

But these figures should be treated as upper-bound reference values rather than net user deposit amounts. They come from aggregated mapping across the full graph, including potential internal transfers. In a Ponzi structure, the “profits” paid to users may be reinvested, causing the same funds to be counted multiple times at the collection layer. The explosive growth in later transaction volumes likely reflects both genuine growth and increasingly severe internal fund cycling.

Figure caption: Collection layer timeline showing 8 generations of hot wallets’ transaction volume rising from $3 million to $906 million

Intermediate Layer: 79 Intermediary Addresses Converging to Known Hubs

Funds leaving the collection hot wallets did not flow directly to the payout layer. Instead, they passed through 79 intermediate transition addresses. Each address had very few inbound sources, many outbound targets, and near-zero net retention. More than 80% of the funds that flowed through ultimately converged on a small number of identified payout channel hubs.

Figure caption: Fund flow in the intermediate layer—funds from the collection hot wallets passing through intermediary addresses converging to identified payout hubs

Most of these funds flowed into the payout layer, but one node stood out. A cross-generational hub received funds from 75% of the intermediate addresses, spanning 6 of the 8 collection generations, totaling about $240 million. However, its downstream structure was clearly different from the identified payout channels.

On-chain tracking revealed a direct funds link between this hub and multiple wallet addresses of the Huione group. Huione is a Cambodian financial group that has been listed by the US FinCEN as barred from entering the US financial system. On the inflow side, at least 4 Huione group hot wallets transferred about $4.6 million into this hub via a chain of intermediary addresses (minimum 5 hops). On the outflow side, this hub directly transferred funds to at least 2 Huione group deposit addresses, with amounts of $4,200 and $1.5 million, respectively.

This cross-generational hub-to-Huione fund flow indicates that VerilyHK’s fund routing infrastructure may have used Huione’s network as a money laundering channel. This matches FinCEN’s assessment: Huione is a “key node in virtual currency investment scam money laundering.”

Figure caption: Fund flow between the cross-generational hub and sanctioned Huione group hot wallets and deposit addresses

Payout Layer: From Paired Channels to Shared Exchange Exit

The generational structure on the withdrawal side mirrored that on the collection side. Three generations of payout addresses were identified, with total withdrawals of about $1.1 billion. As with the collection layer, the switches between generations were precise to the second: on-chain timestamps show that the second-generation channel stopped and the third-generation channel started at the same moment. This pattern is difficult to explain by other reasons and can only be attributed to a pre-set switching plan by the same operating team.

Within each generation, the architecture followed a consistent pattern: dedicated bridging addresses first aggregated funds from the intermediary layer, then forwarded them to a pair of parallel payout channels—one main line and one secondary line. The start times of each channel pair differed by minutes, and their stop times differed by seconds, but one of the two always handled significantly more volume than the other. This “bridging → paired payout” structure recurred across all three generations, proving it was designed infrastructure rather than ad hoc wallet creation.

Figure caption: Payout layer showing 3 generations of paired channels, each with a largely independent downstream network, ultimately converging into a shared exchange exit

Looking closely at the third-generation paired payout channels, the degree of separation is even clearer. The processing volume of one channel was about 2.6 times that of the other. When comparing the top 100 large downstream counterpart transactions ranked by each channel, the overlap rate was zero. Although they were supplied from the same upstream sources and operated simultaneously, they operated entirely independent downstream distribution networks.

What the two lines truly shared was only the final exit. In their small downstream transfers, both lines showed the same pattern: funds passed through tens of thousands of one-time addresses (each address had almost only one deposit and one withdrawal), and ultimately flowed into the same major centralized exchange (CEX) hot wallet. But even here, the intermediary deposit addresses across the two groups were almost completely independent—of approximately 60,000 addresses, only 9 were shared—like two separate pipelines feeding into the same exchange. On-chain data confirmed that funds entered the exchange’s processing pipeline, but it was unable to identify the specific user accounts behind these deposits.

Panoramic View: A Four-Layer Funnel

By consolidating all findings, VerilyHK’s on-chain fund routing architecture formed a clear four-stage funnel: an extremely dispersed front end, a highly centralized intermediate stage, again a dispersed payout layer, and finally exiting through the exchange.

Figure caption: VerilyHK’s four-layer funnel architecture—deposit layer, collection layer, intermediate layer, bridging layer, dual-line payout, exchange exit

Most striking are the massive transaction volume (total on-chain fund flow of about $1.6 billion) and the precision of the underlying infrastructure: generation handovers accurate to the day, paired payout channels with essentially independent downstream networks, and tens of thousands of one-time addresses funneling into a shared exchange exit.

For exchange compliance teams, the structural features documented in this article provide actionable detection heuristic indicators—especially the pattern of tens of thousands of one-time deposit addresses converging into a single hot wallet. For investigators and regulators, this layered architecture explains why tracking illegal funds requires going beyond single transactions and reconstructing the full network topology.

All on-chain analysis in this article was performed using MetaSleuth, an on-chain analysis tool, part of BlockSec’s anti-money laundering and compliance suite. The analysis follows a highest-value-path methodology, and all conclusions are labeled with the strength of evidence and applicable boundaries.