Forensic Analysis:
Active Mass-Distribution Wallet
Arkham Cluster 032e · 44-day operation · $10.57B volume
Prepared for
Pleasant Green / Ben Taylor
April 25, 2026 · ChainTracing Deep Trace
⚡ Executive Summary
The address bc1qwfes4nt3a9xr6glslyk4tlqf773rv2lznmkmf5 is part of a 2-address cluster identified by Arkham Intelligence (cluster ID 032e). The cluster activated on March 11, 2026 and has processed $10.57 billion USD in 44 days — averaging $240 million per day. This is not a personal scammer wallet. It is the operational backbone of either a high-volume laundering service, an unlicensed mixer, or a compromised exchange hot wallet.
The cluster's velocity, lifespan, and fan-out pattern (one transaction every 4 minutes, 849 unique destinations in any 18-hour window) match the operational signature of services used by organized scam networks to obscure victim funds at scale.
Standard blockchain tracing terminates at this layer. Recovery requires identifying the service operator via a coordinated exchange subpoena and law enforcement referral.
Key Findings
Lifetime Volume
$10.57B
75,588 BTC across cluster
Daily Throughput
$240M/day
44-day operation
Velocity
1 tx every 4 min
Continuous activity
Cluster Status
ACTIVE
Last tx: 2 days ago
The Pattern: 1-Input → Many-Outputs
Each transaction follows an identical structure: a single input from this address fans out to 3–8 recipient addresses in one atomic transaction. This is the hallmark of automated batch payout software — the same architecture used by legitimate exchanges for bulk withdrawals, repurposed here for criminal distribution.
The 849 unique destinations seen in 18.6 hours do not represent 849 individual scam victims — they represent the downstream hop after consolidation. Individual victim funds have already been pooled before arriving here.
🔗 Cluster Identification
Arkham Intelligence has clustered this address with one other Bitcoin address as a single operating entity:
The drained companion address indicates the operator periodically rotates primary deposit endpoints — a common operational security pattern for laundering services. This further confirms the cluster is an organized operation, not a passive wallet.
Cluster ID: c7f0b31bf85291e40ae0e39d7c41b30d2034dfe0adec474ec5f485add2bf032e
Arkham label: 032e · First seen: March 11, 2026 · Last seen: April 23, 2026
What This Means For Victims
Why standard tracing stops here
Once funds enter a batch payout processor, they are atomically mixed with funds from other victims across other scams. The on-chain trail splits into hundreds of outputs simultaneously. No further address-level tracing can reliably attribute a specific victim's funds to a specific output.
Why exchange subpoena is the only recovery path
A meaningful fraction of the 849+ destination addresses will be exchange deposit addresses (Binance, Coinbase, Kraken, OKX, etc.). Exchanges hold KYC identity records for those accounts. A law enforcement subpoena or a formal request under the relevant jurisdiction's MLAT treaty can compel the exchange to freeze those accounts and provide identity data.
What victims must collect before filing
① The exact transaction ID (txid) of their payment. ② The receiving address they sent funds to. ③ Screenshots of all communications with the scammer. ④ Any account details or usernames provided by the scammer. ⑤ The date, amount, and currency sent. This information forms the evidentiary chain law enforcement needs.
Top 10 Destination Addresses
| # | Address | Received (BTC) | USD (~$95k) |
|---|---|---|---|
| 1 | bc1qg8fl0d…lcfs6ppd | 0.39163189 | $37,205 |
| 2 | 3N9FU7C488…Q1AGcKQd | 0.33796247 | $32,106 |
| 3 | bc1q9kyzc7…6cmajj48 | 0.20000000 | $19,000 |
| 4 | 177zTQn8Mz…VkoyxQUt | 0.17486010 | $16,612 |
| 5 | bc1qusj7u6…mhh0fjhh | 0.17423114 | $16,552 |
| 6 | bc1qf64q32…wkvtpng0 | 0.13415011 | $12,744 |
| 7 | 37rVjsBr9A…r9Qc1xEE | 0.13359602 | $12,692 |
| 8 | bc1qqkcpax…ksyag042 | 0.09374020 | $8,905 |
| 9 | 3ADg4zCe6f…uvSehSMY | 0.08580545 | $8,152 |
| 10 | bc1q7stqa6…mxpe6yjh | 0.08121119 | $7,715 |
Showing top 10 of 849 unique destinations observed in the 18.6-hour analysis window.
Sample Transactions
d6c4bd5ab35412309b74bfc278275dc0e1da7a1b91efbc475226a9d6b9e87da8
Outputs
5
Total sent
0.00412 BTC
USD value
$391
fd18c89fb0a5a179407a94c3e52a178fd5f4a2b2a4a3a4fec6f5b7e4a82e19de
Outputs
5
Total sent
0.00724 BTC
USD value
$687
3812c69aacb97d772bf61a0d96b226515cd0a622e8e090b1250084a60198983b
Outputs
3
Total sent
0.00477 BTC
USD value
$453
Recommendations
- 1
File a police report immediately, citing the address and transaction ID. Request the report number — you will need it for any exchange subpoena request.
- 2
Contact your national cybercrime unit (FBI IC3 in the US, Action Fraud in the UK, BKA in Germany). Provide the full transaction chain from your wallet to this address.
- 3
Submit a report to Chainalysis Reactor and/or Elliptic — both track this address type and may already have it flagged to known exchange accounts.
- 4
Identify which exchanges received funds downstream (e.g. via ChainTracing or a licensed blockchain analytics firm). File a formal freeze request with those exchanges citing law enforcement case number.
- 5
Contact mempool.space and request any IP/metadata logs associated with transaction broadcasts from this address. They may comply with formal law enforcement requests.
- 6
Do NOT send additional funds to this address or any address claiming to be a 'recovery service.' These are follow-on scams targeting prior victims.
- 7
Preserve all evidence: screenshots, chat logs, email headers, transaction IDs, wallet addresses, and any account credentials provided by the scammer. Do not delete communications.
ChainTracing
Generated by ChainTracing Deep Trace · Cluster intelligence verified via Arkham Intelligence · April 25, 2026
chaintracing.orgThis report is provided for investigative and educational purposes. On-chain data sourced from mempool.space. ChainTracing does not guarantee recovery of funds.