The “Creative Private Room,” also known as the Taiwanese version of “N Room,” has recently garnered significant attention for selling a large number of illicitly filmed underage sexual images. The platform has gained further attention due to the revelation that celebrity Huang Zijiao purchased videos from the platform as a premium member. On April 10th, Minister of Health and Welfare Shih Jui-yuan stated in the Legislative Yuan that a letter would be sent to the relevant departments to request the blocking of the domain of the “Creative Private Room.” However, what will happen after the “block”? Who are the individuals profiting from the exploitation and voyeurism of minors, and can they be brought to justice?
XREX Exchange, which has successfully implemented several top international blockchain analysis tools, has conducted an investigation and analysis of the chain flow of funds of the “Creative Private Room.” Today, on the 12th, they officially released a report (complete version submitted to relevant law enforcement agencies). The report was co-authored by Miffy, a blockchain financial crime investigator at XREX, and Yoyo, Senior Director at the XREX Executive Office. Perhaps we can gain some insights from this report.
1. Wallet addresses of the “Creative Private Room”
Using the website “Internet Archive” in conjunction with URLs, “Blockchain Trends” obtained four “non-custodial” wallet addresses used by the “Creative Private Room” at different times:
[Image]
Source: XREX compilation of “Creative Private Room” non-custodial wallet addresses
Based on the wallet information, XREX blockchain financial crime investigator Miffy further investigated the distribution of funds from these four wallets after receiving payment for purchasing videos. XREX has publicly released this report on the chain flow of funds and technical analysis to target the recipients behind the “Creative Private Room,” specifically those individuals in the real world who profit from voyeurism and sexual violence.
2. Key questions addressed by the “Creative Private Room” chain flow report
– How many people paid for membership in the “Creative Private Room”? How can we deduce their true identities from their wallets?
– What wallets does the “Creative Private Room” use for receiving payments? Who might be the holders of these wallets?
– After receiving funds from the “Creative Private Room,” who are the recipients of these funds?
– Why does the “Creative Private Room” transfer funds to these wallets? What roles do these beneficiaries play?
– How can this chain evidence assist law enforcement agencies in taking action?
– What is the upstream and downstream relationship in the entire criminal structure of the “Creative Private Room” chain flow?
– What blockchain tools and analyses can be used as clues in the case to uncover the network behind the criminal organization?
3. Key findings from the “Creative Private Room” chain flow report
– Usage of the four “Creative Private Room” wallets
[Image]
Source: XREX compilation of “Creative Private Room” non-custodial wallet usage
– Potential related parties in the “Creative Private Room” fund flow
[Image]
Source: XREX compilation of “Creative Private Room” wallet receipts and payments
Note:
The representation of deposits to the “Creative Private Room” by transaction count is because when users withdraw funds from exchanges, they are sent from the exchange’s hot wallet rather than a dedicated wallet for individual users. To trace the funds, subsequent matching to individual users by the exchange is required. The transaction count does not directly represent the number of users; it could be multiple transactions by a single user.
Recharge wallets can be corresponded to individual users. One wallet corresponds to one person, making subsequent investigation and identification easier.
The transaction count for deposits and the number of receiving wallets may overlap among the four “Creative Private Room” wallets.
– Top ten “custodial wallets” that received the most funds from the “Creative Private Room”
[Image]
Source: XREX compilation of the top ten “custodial wallets” that received funds from the “Creative Private Room”
The top recipient of funds from the “Creative Private Room” is a “custodial wallet” located on the Binance exchange, with the wallet address TNFw********************4. Using the wallet database tool OKLink, we found transaction information for this wallet. It has been active for three years, and using the MistTrack tool to observe its fund sources, we found that all five wallets are related to the “Creative Private Room.” This wallet has been receiving funds from the “Creative Private Room” since December 5, 2021, until April 29, 2023, a total of 73 times, receiving over 66,000 USDT, equivalent to over 2 million NTD.
– Recent activities of the “Creative Private Room” wallets
Among the four public wallets of the “Creative Private Room,” the most recent fund transfer occurred on April 10, 2024, at 23:19:18, when funds were transferred from the fourth receiving wallet of the “Creative Private Room” to the wallet address TA2G85LLXqtbcMwwZUKn4gDdQ9EkoHRp8V, which means that this wallet is still being actively used.
4. Blockchain analysis tools used in this report
– MistTrack: Searches for labels of blockchain wallets, such as which exchange they belong to or whether they have been flagged as illegal groups, etc.
– Free trial for 30 days
– Arkham: Visualizes the interaction between multiple wallets, creating transaction graphs.
– Free
– BitQuery: Understands the overall fund flow of a single wallet and visualizes it, generating complete flow diagrams.
– Free
– OKLink: Searches the wallet address database to observe the complete transaction records and related details of specific wallets.
– Free
5. Proving the association of “Creative Private Room” wallets and tracing the actual holders
When transferring tokens on the blockchain, gas fees (Note 1) are required. By tracking the source of gas fees, one can establish the association between wallets and find information about the actual holders. Transferring TRC-20 USDT issued on the Tron chain requires paying gas fees with TRX. Using the blockchain analysis tool Arkham, we observed the TRX transaction interactions among the four “Creative Private Room” wallets with different receiving wallet addresses obtained from “Blockchain Trends” (Note 2).
[Image]
Source: XREX compilation of the first TRX token import time for the “Creative Private Room”
If a wallet frequently transfers USDT, it will deposit a large amount of TRX. A structured and organized group, whether it is a fraudulent group or a platform like the “Creative Private Room,” will exhibit such characteristics.
The relationship graph generated by the Arkham visualization tool is shown below. It can be seen that the four middle wallets of the “Creative Private Room” have a common source of TRX and have close interactions in TRX transactions, indicating a high probability that these four wallets are held by the same person or group.
[Image]
Source: Arkham visualization of the relationships among the “Creative Private Room” wallets
From the above graph, it can be observed that the fourth wallet of the “Creative Private Room,” TA2G85LLXqtbcMwwZUKn4gDdQ9EkoHRp8V, has a deposit record of 5,066 TRX from the MEXC exchange. This can help law enforcement agencies request user verification information from MEXC by using the unique transaction hash associated with this transaction to determine the identity behind the scenes.
In addition to the aforementioned TRX transaction record, attempts were made to trace the source of the gas fee. The first wallet, TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ, is the earliest among the four wallets of the “Creative Private Room,” dating back to November 30, 2021.
[Image]
Source: XREX compilation of a deposit record of 5,066 TRX to the “Creative Private Room” wallet
By following the gas fee source, it is possible to connect the wallets and identify the actual holders.6:03:21 First gas fee deposit is made.
Next, we use the visualization tool Bitquery to observe the TRX source and flow of “Creative Private Room” wallet TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ, as shown in the following figure:
Source:
Bitquery
From the visualization tool Bitquery, we can observe the “layer transfer” relationship of “Creative Private Room” wallet in TRX transfers, where some wallets imported TRX and immediately transferred it out. The “quick in, quick out” of funds is relatively rare in normal transactions and is one of the characteristics used to determine abnormal transactions.
Based on the graph generated by Bitquery, we have created a clearer table as shown below, with the orange part indicating the four wallets of “Creative Private Room”. This table starts with the first wallet TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ of “Creative Private Room” and examines the layer transfer relationship of its upstream and downstream funds.
This table not only shows the layer transfer relationship between wallets, but also reveals the high correlation among the four wallets of “Creative Private Room”. At the same time, we have also marked specific wallet characteristics such as quick in, quick out, belonging to a specific exchange, and major TRX sources or outgoing wallets, etc.
Source: XREX, “Creative Private Room” wallet layer transfer relationship
According to the table above, a lot of TRX used to pay gas fees is transferred from the Binance exchange, first being transferred to a decentralized “non-custodial wallet” before being transferred to the first wallet TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ of “Creative Private Room”.
The table below summarizes these transaction hashes. Law enforcement agencies can obtain relevant real-name verification information through the Binance exchange to understand who provides the TRX transaction fees for the transfer of funds to “Creative Private Room”.
Source: XREX, “Creative Private Room” wallet recharging with TRX tokens through Binance exchange
We have selected three wallets that provide TRX sources and exhibit “quick in, quick out” behavior. Using the MistTrack tool, we can see the four receiving wallets of “Creative Private Room”, which have been marked as “illegal service”. The green stars represent layer transfer wallets, and the leftmost one is the hot wallet of Binance exchange, indicating that Binance users have withdrawn TRX to the layer transfer wallet and then transferred it to the receiving wallet of “Creative Private Room” within a short period of time.
The TRX transfers between the following three wallets are indicated with gray fonts above the arrows, showing that after withdrawing TRX from the exchange, they were transferred within a few minutes, exhibiting organized “quick in, quick out” behavior and the characteristic of “large withdrawal of gas fee transfers”.
Layer transfer wallet marked with a green star: TMv9PwYkekUeSXwKR5Vpek4uGcAkGMaaUg
Source: MistTrack
Layer transfer wallet marked with a green star: TJnQv8rYMKTZEXzb8QgjTsGn9BRm2SPgjm
Source: MistTrack
Layer transfer wallet marked with a green star: TJxKcEZ1czkYB285sUeJ1FgX8d8hkVu4WP
Source: MistTrack
Six. Does “Creative Private Room” have new members? Investigating USDT payments for clues
We use the Internet Archive tool to examine the posts of “Creative Private Room”. Although it is the same post, records from different periods reveal that “Creative Private Room” is constantly adjusting its membership payment methods, wallet addresses used, and USDT exchange rates, etc. Using the wallet database OKLink for organization, a total of 2,233 transactions were made from the exchange’s hot wallets to the four receiving wallets of “Creative Private Room”.
Based on the preserved wallet addresses and payment information from the Internet Archive, it is difficult to estimate the exact number of new members “Creative Private Room” had during different periods, as existing members may have made irregular deposits, upgraded to higher-level memberships with different amounts, or engaged in mutual transactions within the group. Further investigation and analysis by law enforcement agencies are needed due to the lack of public information.
However, based on the available information, we can attempt to deduce the number of new members “Creative Private Room” had during different periods through the four receiving wallets using the same deposit amount range.
Time of “Creative Private Room” post recorded by the Internet Archive: August 12, 2022
Source: Internet Archive
Time of “Creative Private Room” post recorded by the Internet Archive: January 28, 2023
Source: Internet Archive
Time of “Creative Private Room” post recorded by the Internet Archive: October 4, 2023
Source: Internet Archive
Time of “Creative Private Room” post recorded by the Internet Archive: April 9, 2024
Source: Internet Archive
Note: The most recent records could not be preserved for the latest deposit wallet addresses. The website operator changed the method to obtain wallet addresses through email inquiries. Therefore, this report uses the wallet addresses in the “Blocktempo” post for statistics.
Seven. Who benefits from “Creative Private Room”? Investigating the downstream of USDT transfers
Why do the four receiving wallets of “Creative Private Room” send the received funds to other wallets? It is clear that they have a vested interest. By tracing the destination of USDT from these four receiving wallets of “Creative Private Room”, we can identify the main beneficiaries.
Who received the money through the sale of illegal voyeuristic and exploitative videos? Their roles could be website administrators, staff, video providers, operators, or equipment purchasers. It could also be refunds to members. We do not know this and further investigation and action by law enforcement agencies are required.
It is worth noting that centralized exchanges are the only entities that possess user’s real-name verification information. Therefore, finding the “custodial wallets” of centralized exchanges is crucial. By comparing real-name verification and other identifiable information, we can intersect and match the group behind “Creative Private Room”.
In the following graph, we use the visualization tool Bitquery to provide an overview of the overall fund flow of the four receiving wallets of “Creative Private Room”. With charts and tables, we can see the wallets that interact with them and match the subsequent beneficiary wallets.
The first receiving wallet of “Creative Private Room”:
TJxBDgdAmD1NPy6ih4E6RBM4YQWZRACakZ
Source: Bitquery
The second receiving wallet of “Creative Private Room”:
TUQbf1PgWvxKethbrYLFY842UL6Z41RiKC
Source: Bitquery
The third receiving wallet of “Creative Private Room”:
TPbRDKYYi5qT3Ayutw6NV31bvNX9zGivZx
Source: Bitquery
Source: Bitquery
Through the visualization tool Bitquery, we can not only determine the upstream and downstream relationships of the four wallets of “Creative Private Room”, but also observe that three of the four receiving wallets of “Creative Private Room” have a significant amount of funds transferred to a single wallet.
Using the blockchain analysis tool MistTrack, we have organized the fund flow of the four receiving wallets of “Creative Private Room” and two layer transfer wallets. The following table shows a list of possible main beneficiaries, leaving only the “custodial wallets” of centralized exchanges with accessible real-name verification information, sorted by amount:
Eight. Compilation of traceable wallets related to “Creative Private Room”
Transaction hashes providing gas fees for “Creative Private Room”
Disclaimer: This article is for informational purposes only. All content and viewpoints are for reference only and do not constitute investment advice, nor do they represent the views and positions of Blocktempo. Investors should make their own decisions and trades, and the author and Blocktempo will not be held responsible for any direct or indirect losses incurred from investor transactions.
