Impostor "Hong Kong health tech" scheme moved up to $1.6B USDT on TRON, BlockSec finds

BlockSec says it has reconstructed the onchain money trail behind "VerilyHK," a suspected Ponzi operation posing as a Hong Kong health-technology investment platform. Based on TRON-based USDT flows, the scheme processed about $1.6 billion over roughly 16 months, using a multi-layer routing setup that ultimately funneled funds into a single centralized exchange (CEX). BlockSec cautioned the $1.6 billion figure is an upper-bound estimate that may include internal recycling typical of Ponzi-style cashflows. The security firm traced the network end-to-end, from victim deposits to exchange-bound withdrawals. It identified eight waves of rotating receiving hot wallets, 79 intermediary transit addresses, and three generations of paired withdrawal channels. BlockSec said the infrastructure appears industrialized: wallet handovers occurred with day-level precision across deposit generations, and second-level precision across withdrawal generations. Background and public warnings VerilyHK presented itself as a legitimate health-tech platform, with marketing that echoed the branding of Verily Life Sciences (Alphabet's precision-health unit). BlockSec also noted name confusion with an unrelated A-share listed environmental engineering company (stock code 300190). VerilyHK's promotional narrative shifted repeatedly, spanning immune cell therapy, portable ECG devices, AI health, health credit systems, and data-asset tokenization, and at times claimed it held Hong Kong SFC Type 4 (advising on securities) and Type 9 (asset management) licenses. In April 2025, the He Shan District government issued a risk alert, saying the project showed "clear characteristics of pyramid scheme and illegal fundraising" and relied on "overseas cryptocurrency trading." By late April 2025, several anti-fraud monitoring services warned of an imminent collapse. The platform stopped operating in February 2026. BlockSec said the onchain throughput it observed would place VerilyHK above other prominent crypto Ponzi cases pursued by U.S. regulators, citing Forsage (~$300 million, SEC lawsuit) and NovaTech (~$650 million, SEC litigation). The firm emphasized its write-up relies on onchain TRON USDT data rather than public warnings. How the tracing started The investigation began with two TRON addresses provided by a victim: one deposit address and one withdrawal address. From that link, BlockSec mapped a broader, multi-generation routing topology. Deposit/receiving layer: 8 generations of rotating hot wallets BlockSec found VerilyHK did not use fixed receiving addresses. Instead, it used at least 15 addresses grouped into eight chronological generations, rotated sequentially from October 2024 through February 2026. The generations did not run in parallel; each generation's end aligned with the next generation's start in what BlockSec described as a consistent handoff pattern. Adjacent generations shared more than 65% overlap in their suspected deposit-address networks, which BlockSec said supports common control. Volumes scaled sharply over time: early generations processed tens of millions of dollars per month; by the sixth generation, monthly flows reached hundreds of millions. The final generation processed over $900 million in under four months. Total flow across all generations was around $1.6 billion, though BlockSec stressed this should be treated as an upper bound because internal cycling and reinvestment can cause double-counting at the receiving layer. Intermediate layer: 79 transit addresses and a hub tied to sanctioned Huione links Funds leaving the receiving hot wallets generally did not go directly to payout channels. BlockSec identified 79 intermediary addresses characterized by few inbound sources, multiple outbound destinations, and near-zero net retention. More than 80% of the transiting funds ultimately concentrated into a small set of identified withdrawal-channel hubs. One node stood out as a cross-generational hub. BlockSec said it received inflows from roughly 75% of the intermediary addresses and spanned six of the eight receiving generations, totaling about $240 million. Unlike other hubs, its downstream pattern differed from the main withdrawal channels. BlockSec reported onchain links between this hub and multiple wallet addresses associated with Cambodia's Huione Group, which it noted has been added by the U.S. Financial Crimes Enforcement Network (FinCEN) to the list of entities prohibited from accessing the U.S. financial system. On the inbound side, BlockSec said at least four Huione-associated hot wallets routed about $4.6 million to the hub through intermediary chains of at least five hops. On the outbound side, the hub sent funds directly to at least two Huione-associated deposit addresses in transactions of $4,200 and $1.5 million. BlockSec said these connections suggest Huione's network may have been used as a laundering corridor, consistent with FinCEN's assessment of Huione as a "key node" in money laundering tied to virtual-currency investment scams. Withdrawal layer: paired channels converging on one exchange exit On the payout side, BlockSec identified three generations of withdrawal addresses with total outflows of roughly $1.1 billion. Generation switches were timestamped to the second: the second-generation channel stopped at the same moment the third-generation channel began, a pattern BlockSec said is best explained by a programmed transition run by the same operators. Within each withdrawal generation, BlockSec observed a repeated structure. Bridging addresses first aggregated funds from the intermediary layer, then forwarded them into two parallel channels—a main and an auxiliary. The two channels typically started minutes apart and ended seconds apart, while the main channel consistently handled far more volume. In the third-generation pair, one channel processed about 2.6 times the volume of the other. BlockSec compared the top 100 large downstream counterparties for each channel and found zero overlap, indicating fully separate downstream distribution networks even though both channels were funded by the same upstream sources. The two lines converged only at the final exit: small, repeated transfers flowed through tens of thousands of one-time addresses (typically with one incoming and one outgoing transaction) before reaching the same CEX hot wallet. Even there, the deposit-address sets feeding the exchange were nearly independent: only 9 addresses overlapped out of about 60,000. BlockSec said onchain data confirms deposits entered the exchange's processing pipeline but cannot identify the specific user accounts. A four-stage funnel and compliance signals BlockSec summarized the structure as a four-layer funnel: highly decentralized at the front end, centralized in the middle, decentralized again across withdrawal networks, and then consolidated at an exchange exit. The firm said the scale of the flows and the precision of the operational patterns—time-aligned generation handovers, paired payout channels with independent counterparties, and mass use of one-time addresses—point to a deliberately engineered routing system. BlockSec said the documented patterns can serve as practical detection heuristics for exchange compliance teams, especially the convergence of tens of thousands of one-time deposit addresses into a single hot wallet. For investigators and regulators, it argued that the layering explains why effective tracing requires reconstructing the full topology rather than following isolated transactions. BlockSec said the analysis was performed using MetaSleuth, part of its AML and Compliance suite, applying the "Highest Value Path" methodology and labeling conclusions by evidence strength and scope.