BlueWing Intel · Fraud Watch · Issue №2026135

$5.29M flowed into Tornado Cash in the last 24 hours.

89 discrete deposits across four pool denominations, computed live from on-chain logs. Tornado's smart contracts were sanctioned in August 2022 — the contracts themselves are immutable and keep accepting ETH. This is what the chain actually shows, not an API estimate.

Editor's note — what this edition actually is

This is Fraud Watch №1. Every figure below is pulled live from public sources at generation time. No sample data, no padding. Sections without live signal are hidden, not filled. We lead with Tornado Cash deposit counts because the signal is timely, computable on free public RPC, and missing from every free competitor. Our proprietary labeled-wallet database seeds with every run.

Lead · Mixer Inflows · Tornado Cash · Last 24h

$5.29M in · 89 deposits · 2348.90 ETH

Pool	Deposits	ETH in	Contract
0.1 ETH	29	2.90 ETH	0x12D66f87…
1 ETH	26	26.00 ETH	0x47CE0C6e…
10 ETH	12	120.00 ETH	0x910Cbd52…
100 ETH	22	2200.00 ETH	0xA160cdAB…

Computed via eth_getLogs against the four canonical Tornado Cash ETH pools. Contracts were designated by OFAC on 2022-08-08; they remain immutable and continue accepting deposits. Anyone who deposited in the last 24 hours has, by Treasury position, touched sanctioned infrastructure.

Our Focus · USDT-TRC20 on TRON · The Rail Nobody Covers

$130.3K

across 6 notable transfers in the latest Tronscan window — live from the chain, not an aggregator.

TRON USDT moved ~$62B at last issuance count and is the dominant stablecoin venue for pig-butchering, ransomware off-ramps, and sanctions evasion. Sell-side doesn't cover it. Chainalysis dashboards it but won't publish it. This is BlueWing's lane.

Amount	Time (UTC)	From → To
$10.0K	2026-05-15 12:17	`TCBA5nE7…h6H8MW` → `TDD1VzLF…8cRUxa`	trace →
$22.5K	2026-05-15 12:17	`TGqdHfgp…CryWMv` → `TDCXCH9Q…2ugLBB`	trace →
$22.4K	2026-05-15 12:17	`TYGkqAto…6d8fdG` → `TSGNsemR…VgAxDN`	trace →
$10.0K	2026-05-15 12:17	`TLfMyTGv…yXKM77` → `THGeGt8E…WNnPQH`	trace →
$15.3K	2026-05-15 12:17	`TJgo62pZ…NDMMS4` → `TVJVJbao…hdJZwQ`	trace →
$50.0K	2026-05-15 12:17	`TLaGjwhv…eGYitv` → `TNH8aT1L…p5bQPw`	trace →

BTC Whale Moves · Last 24h

Transactions ≥5.0 BTC from mempool (unconfirmed) and the latest block (confirmed). Live from blockchain.info and mempool.space.

Size	Transaction	State
14.83 BTC $1.19M	`1ca54d7f…0471aa`	confirmed
8.06 BTC $648.5K	`e2b87574…bf8236`	mempool
6.25 BTC $502.5K	`c29118e5…7104cb`	mempool
5.36 BTC $431.5K	`2427a1a5…e16ee1`	mempool

Protocol Exploits · Rekt Ledger · Last 30 Days

$290.0M

KelpDao

— 4/18/2026 A2 · Rekt

DPRK breached LayerZero's infrastructure, forged a bridge message, and walked $290 million out of KelpDAO in one transaction. Aave is holding hundreds of millions in bad debt. The dominoes are still falling. DeFi United is scrambling to catch them.

KelpDAOLayerZeroAave

post-mortem →

Live X Alerts · PeckShield / SlowMist / ZachXBT · Last 72h

@PeckShieldAlert 2026-05-15 10:04
#PeckShieldAlert The @trustedvolumes exploiter has deposited 100 $ETH to #TornadoCash
view post →
@PeckShieldAlert 2026-05-15 09:58 ETH
#PeckShieldAlert @THORChain has been exploited for ~$10M worth of crypto, including 36.75 $BTC ($3M) and ~$7M worth of assets from #BNBChain, #Ethereum, and #Base. The stolen funds mainly sit in: bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 0xd477b69551f49C0519F9B18c55030676138890Bd
view post →
@SlowMist_Team 2026-05-15 09:56 ARB
🚨 Exploit Analysis | ShapeShift FOX Colony Authorization Trust Chain Flaw SlowMist analyzed the recent ShapeShift FOX Colony exploit on Arbitrum, where attackers abused a semantic conflict between meta-transactions and DSAuth self-call authorization to hijack the resolver and drain all ERC20 assets via malicious deleg
view post →
@zachxbt 2026-05-14 12:17
9/ It seems everyone has private info except retail. Team knows the unlocks, MM knows the positioning, OTC buyers know their cliffs. Retail only sees LAB price. Call to action for @bitgetglobal, @binance, @gate_io to freeze insider profits and redistribute them to users. Or delist and act earlier without waiting for p
view post →
@zachxbt 2026-05-14 12:17
8/ 226M LAB (large % of float) was deposited to Bitget deposit addresses by insiders in March-April 2026. The deposits sat dormant until 100M LAB was withdrawn a few days ago, which received significant coverage on CT. An unknown MM operating via Chinese exchanges likely received supply and appears to be running a sim
view post →
@zachxbt 2026-05-14 12:17
7/ One of the signers for several LAB team multisigs was funded by an insider linked onchain to RIVER manipulation. The same insider received $12M+ of RIVER tokens to two CEX deposit addresses. Signer address: 0xcEA722a1A812EbDFA5BBD8130531cF1D1956eBC9
view post →

Fresh Drainer Wallets

From ScamSniffer's daily-updated open blocklist. Import before the EOD open.

Chain	Address	Label	Grade
ETH	`0x0660e5…fb2ac7`	Drainer	B2
ETH	`0x1fa47d…e8c493`	Drainer	B2
ETH	`0x7fe421…757e55`	Drainer	B2
ETH	`0x0a24ea…701144`	Drainer	B2
ETH	`0xc61248…5b6906`	Drainer	B2
ETH	`0x04ee62…d43166`	Drainer	B2
ETH	`0x6a2142…4d3e44`	Drainer	B2
ETH	`0xd3ed4e…945e9d`	Drainer	B2
ETH	`0xb240f8…80e6ba`	Drainer	B2
ETH	`0x013c72…97a7c4`	Drainer	B2
ETH	`0x42b168…1b7de6`	Drainer	B2
ETH	`0xfe1e5b…37c858`	Drainer	B2
ETH	`0xcc0b48…5cb2b8`	Drainer	B2
ETH	`0x92c582…94b6c9`	Drainer	B2

Phishing Domains · MetaMask Feed

Live blacklist from MetaMask's eth-phishing-detect. 107,921 total entries, showing 12.

poly-mark.xyz
openseoa.app
opencea.mom
opensea.support
openmsea.io
opnsea.top
openesea.eu
opencea.shop
oplensea.io
opensaea.io
opensrea.io
opensesa.io

Tether-Frozen Addresses

ETH addresses blacklisted by Tether on the USDT ERC-20 contract. These wallets hold frozen USDT that cannot be transferred.

Addresses frozen

The Moat · Labeled Wallet DB

Every Fraud Watch issue appends to our proprietary bluewing_labels database. 653 OFAC-sanctioned + 30 ScamSniffer drainers + 93 Tether-frozen seeded on day one. Queryable via REST API and the upcoming bluewing-mcp server.

Forensic reports · when a daily scan is not enough

Stop guessing. Start citing.

A risk verdict in thirty seconds, a filable report in three days, or the full intelligence package in ten. Same evidence discipline every BlueWing PDF has shipped since day one: SHA-256 manifests, confidence-graded findings, and a transaction hash behind every claim.

Free · Risk Check

Thirty seconds · Public

Paste the address. Green, yellow, or red in under thirty seconds. OFAC and sanctions, drainer and scam-registry hits, exposure tags, one-line plain-English summary. Enough to know whether to walk away or pick up the phone. No credit card.

First 3 lookups · no email needed
Then 2 / day · 10 / week · email-verified
Cloudflare Turnstile bot protection

Check a wallet now →

Pro · On-Chain Report

On-chain analysis - 24 hr delivery

$2,500

For the deal that needs a paper trail. Full transaction history, a three-hop connected-wallet graph, mixer entry flags, supply-concentration analysis, drainer-ring identification, multi-chain on the single entity. Watermarked PDF with SHA-256 evidence manifest, independently verifiable by your counterparty. Priced to close on a corporate card. No RFP. No committee.

Request a Pro report →

Founding price

Elite · Full Intelligence

On-chain + OSINT - 48 hrs delivery

$7,500

$12,500 at list after founding window

For serious matters where counsel is already involved. Everything in Pro, plus the OSINT layer that holds up under scrutiny: GitHub scam-site enumeration, IPFS metadata, WHOIS pivots, social and homoglyph cross-reference, up to three chains with a five-hop network graph. Structured JSON export for the data room. Optional on-chain anchoring for chain-of-custody. Used by attorneys in live crypto-fraud matters.

Request an Elite report →

Source status this run: mixer flowsofacofac delta weekrektscamsniffercoingeckosecx alertsbtc whalestrx usdt flowstether frozenphishing domainschainabusedefillama hacks