Crypto Scam Report

Fraud Description: The scammer contacted the victim on Bilibili using the alias Zhou Haodong and gradually built trust over several weeks. The conversation was then redirected to an encrypted chat application called Safex (developed by Guiyang Xingruxue Network Technology Co., Ltd., ICP Filing: 黔ICP备2024035177号-8A) to evade platform monitoring. Within the Safex app, the scammer presented himself as a successful cross-border e-commerce businessman and convinced the victim to invest in a fake online store. He directed the victim to register on the fraudulent website slouqzen.top (a fake Souq/Wish clone), which has since been locked by NameMart and confirmed as phishing by Cloudflare (Report ID: d99940445b49b382). The victim was instructed to deposit Tether (USDT) into the platform. Two transactions were made from the victims Binance account to the scammer-controlled wallet address: 709 USDT — TxID: 072ca2449c203fbaafe16138ab1f1496756ac54b0d070f190436a3279092ce6d 708.5 USDT — TxID: 34fc9207bfbb851ab34a41a165d34326169fe81ab3714c871eaee88afbc30206 Total Loss: 1,417.5 USDT to wallet address TWXLTtvZKonEmYA2NNLSw5goGooeWT7Vj9. After deposits were made, the scammer fabricated fake orders on the platform and demanded additional payments, threatening that the victims funds would be frozen and their credit score affected. When the victim refused, the scammer deleted and blocked all communication channels. On-Chain Evidence: The receiving wallet TWXLTtvZKonEmYA2NNLSw5goGooeWT7Vj9 is a confirmed scam transit wallet with the following characteristics: All incoming funds originate from Binance-Hot 5/6/7/8/9/10/11 official exchange hot wallets. The wallet follows a receive-and-forward disposable transit pattern with zero balance retention. It holds multiple tokens associated with black-market operations (GasFreeSolution, BlockGames, HashGames, TGip388, Rockyweb3globalshopping). Wallet was created on April 6, 2026, coinciding precisely with the active fraud period against the victim. Associated Infrastructure: Safex Chat App — The encrypted communication tool used to isolate and defraud the victim. Developer: Guiyang Xingruxue Network Technology Co., Ltd. slouqzen.top — Core phishing site, locked by NameMart (clientHold), confirmed phishing by Cloudflare. safex.im / safew.im — Both flagged as phishing/suspicious by ScamAdviser and IPQS. xingruxue.top — Backend privacy policy hub for the Safex app, registered via Alibaba Cloud, directly linking the app to its developer. The scammers linked accounts include QQ 3768048303 and Safex ID @s_b49em3jp.