ChainTracingchaintracing
← ChainTracing
⚠ Active threat — public advisory
Active ThreatTron · TRC20Multi-Victim

Preliminary Forensic Assessment

fqlex.com & txoin.com —
Coordinated Crypto Investment Scam

Lahore Community Investigation

Public Advisory

April 26, 2026 · Report #CT-PUBLIC-001

This is a shallow public advisory. Full forensic investigation reserved for coordinated victim case.

fqlex.com deposit

TTeyHgbuk8…FsRAxbnE

Currently dormant on-chain

txoin.com deposit

TPgQrryn6a…VfwazwSa

● ACTIVE fund movement

Executive Summary

Active scam platforms

2

fqlex.com · txoin.com

Operational status

ONGOING

Not yet drained

Estimated victims

15,000+

Community-reported

Withdrawals halted

6–7 days ago

Exit scam pattern

Two domains — fqlex.com and txoin.com — operate a coordinated copy-trading and signal-trading Ponzi targeting the Lahore, Pakistan crypto community. Overlapping deposit infrastructure, identical membership tiers, and a shared Telegram operator confirm both platforms are run by the same ring. Withdrawals were disabled approximately April 19–20, 2026 while front-end sites remain online and continue to onboard new victims.

⚠ Live Threat Status

Both platforms remain online and accepting deposits as of April 26, 2026. Active fund movement detected on the confirmed deposit address within the last 4 days. New victims continue to be onboarded. Immediate action recommended.

The Two Platforms

Platform A● LIVE

fqlex.com

Cloudflare-hosted · last-modified April 20, 2026

Deposit address

TTeyHgbuk8…FsRAxbnE

Inactive on-chain — per-victim address pattern suspected.

View on Tronscan ↗
Platform B● LIVE● ACTIVE FUNDS

txoin.com

Xcdn-hosted · last-modified March 18, 2026

Deposit address

TPgQrryn6a…VfwazwSa

Large-volume fund movements detected.

View on Tronscan ↗

🔒 Full chain trace available in deep investigation.

Coordinated Two-Domain Operation

Same operators · same Telegram ring · shared deposit infrastructure · interchangeable front-ends.

fqlex.comCloudflare · per-victim addrsTTeyHgbu…AxbnEtxoin.comXcdn · active depositTPgQrryn…wazwSaSAME OPERATOR RING"Richard Soros" · TelegramVG Team · 7 affiliated groupsTiers: $100 · $200 · $500 USDTWithdrawals disabled Apr 19–20

Operational Fingerprint

Operator identity

"Richard Soros" (Telegram)

Identity stolen from George Soros for legitimacy theater.

Communication channels

Telegram + Bonchat

Multi-platform pattern — complicates takedown.

Membership tier system

$100 · $200 · $500 USDT

Classic Ponzi tier structure.

Minimum deposit

$500 USDT

Filters out low-stakes targets.

Exit indicator

Withdrawal system disabled approximately April 19–20, 2026

Affiliated Telegram groups (7 identified)

VG Team AdministratorPAK-Team Core membersTeam 5923 Investment GroupVG Team New Study@VG-Team Learning MeetAD_PAK VG TEAMServer Operator: winwin

Domain Intelligence

Both domains use privacy services, recent registration, and a multi-registrar setup — classic indicators of a coordinated scam operation.

fqlex.com

Privacy-Protected

15 months

Domain age (as of Apr 26, 2026)

CreatedJanuary 10, 2025
RegistrarDynadot LLC (United States)
RegistrantHidden via Super Privacy Service LTD
Listed locationSan Mateo, California (registrar address — not operator)
Name serversKYREE.NS.CLOUDFLARE.COM · LILA.NS.CLOUDFLARE.COM
ExpiresJanuary 10, 2027

⚠ Red flag: Privacy-shielded WHOIS plus Cloudflare proxy. Operator identity intentionally obscured.

txoin.com

Recent + Fully Redacted

4 months

Domain age (as of Apr 26, 2026)

CreatedDecember 15, 2025
RegistrarGname.com Pte. Ltd. (Singapore)
RegistrantFully redacted across all fields
Listed countryCA (Canada — registrant data redacted)
Name serversA8.SHARE-DNS.COM · B8.SHARE-DNS.NET
ExpiresDecember 15, 2026 (1-year renewal only)

⚠ Red flag: Domain registered just 4 months ago with full WHOIS privacy. Singapore registrar known for hosting anonymous operators.

The two platforms use different registrars (Dynadot in the US, Gname.com in Singapore) but share the same on-chain backend infrastructure. This is a deliberate anti-attribution pattern — splitting domain registrations across jurisdictions complicates law enforcement takedown requests. The fact that txoin.com is only 4 months old suggests it was provisioned as a backup or replacement for fqlex.com when scrutiny intensified. Both domains have only 1-year renewal periods, consistent with operators who do not expect the platforms to outlive their exit scam timelines.

Why This Is an Exit Scam in Progress

🚪

Withdrawals stopped, site stays online

Common exit scam tactic to delay panic and maximize last-minute deposits before disappearing.

💸

Active deposit address moving funds

Operators are visibly consolidating funds on-chain — preparation for the disappearance.

🌐

Multiple front-ends, same backend

Two domains running the same operation allows quick rotation if one is taken down.

🔒

Deep Investigation Available

Preliminary scan complete. Full forensic investigation includes:

🔒

Complete fund flow mapping across all hops

Locked
🔒

All downstream consolidator wallets identified

Locked
🔒

Cross-platform correlation between fqlex.com and txoin.com flows

Locked
🔒

Tether blacklist request package (lawyer-ready)

Locked
🔒

FIA NR3C cybercrime complaint draft

Locked
🔒

Individual victim transaction-to-trace correlation

Locked
🔒

Real-time fund movement monitoring

Locked

Coordinated Victim Investigation

Group Forensic Investigation

Designed for groups of 10+ victims of the same scam ring. Joint forensic report, coordinated legal filing, and lawyer engagement included. Pricing scales per victim.

Request Group Investigation →

chaintracing.org/services

Public Recommendations

  1. 1

    Do NOT make additional deposits to either platform under any circumstances. Both are active scams.

  2. 2

    Do NOT respond to any "support" outreach from "Richard Soros" or VG Team channels. They will attempt to extract more funds via fake recovery offers.

  3. 3

    Document everything. Take screenshots of all chats, deposit confirmations, account dashboards, and Telegram messages. Save TX hashes.

  4. 4

    File a preliminary report with FIA Cyber Crime Wing Pakistan (helpdesk@fia.gov.pk or NR3C portal). Mention this as part of a multi-victim case.

  5. 5

    If you are a victim, join the coordinated investigation effort at chaintracing.org/services. Group action significantly increases the likelihood of any recovery action by Tether or law enforcement.

  6. 6

    Warn others. Do not let this spread further in your community.

This is a public advisory based on preliminary on-chain analysis and victim community reporting. ChainTracing has not verified individual victim claims for this advisory. Recovery of stolen funds is not guaranteed. ChainTracing provides forensic evidence and investigative support, not legal counsel or recovery services.

ChainTracing

Generated by ChainTracing · April 26, 2026

Public advisory for the Lahore Crypto Community

chaintracing.org