ChainTracingchaintracing
← ChainTracing
✓ Verified on-chain via Tronscan
Confirmed ScamTron · TRC20USDT

Forensic Analysis Report

Khawar Bhatti —
TRC20 USDT Scam Investigation

Prepared for

Khawar Bhatti · CCP Community

April 25, 2026 · ChainTracing Deep Trace · Report #CT-KHAWAR-001

Entry Scammer Wallet

TLh8UmtzGZHe…kaoMpWg

View on Tronscan ↗

Consolidator Wallet

TCCGrrofm6fh…APdkFv

Executive Summary

Total stolen

$2,071.37

USDT (TRC20)

Wallet age

3+ years

Active since Sep 2022

Scam ring

Multi-victim

4 upstream funnels

Funds status

DRAINED

2.49 USDT remaining

This investigation traces $2,071.37 USDT stolen from two victims — including Khawar Bhatti ($1,626.96) — via a TRC20 USDT scam on the Tron network. Funds were routed through an entry wallet (TLh8Umtz…MpWg) before being consolidated into a professional 3+ year-old laundering wallet with 660 transactions.

The consolidator address has been fully drained. The scammer broadcast their Telegram handle (hb369369) via junk token airdrops — a known operational signature. At least 4 upstream feeder wallets confirm this is a coordinated multi-victim scam ring, not an isolated incident.

Fund Flow: Victim → Scammer → Laundering Chain

Victim funds were deposited into a single entry wallet, then forwarded in bulk (98.7%) to a high-volume consolidator wallet, which distributed funds to multiple downstream recipients in $200–$12,000 chunks.

VICTIM 1TCz47XgC…s1tG7Khawar Bhatti$1,626.96 USDTVICTIM 2TM1zzNDZ…fwx9R$444.41 USDT$1,626.96$444.41SCAMMER ENTRYTLh8Umtz…MpWgActive Sep 2023 · $2,071.37 in98.7% →$2,045.59CONSOLIDATORTCCGrro…dkFvSep 2022 · 660 txs · DRAINEDTelegram: hb369369TGWiaShu…URRLFrequentTEqrBz3Y…b454YRepeatTDR4QCNd…xASuRepeatTSTZvHEp…sGuT$12k txVictim walletScammer entryConsolidator / downstream

Key Findings

🕸️

Multi-victim scam ring confirmed

4 upstream feeder wallets identified feeding the same consolidator. This is not an isolated scam — it is an organised operation with multiple victims across the Tron network.

👤

Professional operation (3+ year wallet age)

The consolidator wallet TCCGrro…dkFv has been active since September 2022 with 660 transactions and 625 USDT transfers — indicative of a long-running criminal enterprise.

🔄

98.7% forwarded — funds laundered

$2,045.59 of $2,071.37 was forwarded to the consolidator in structured chunks ($200–$3,000 USDT). Only $25.78 was retained at the entry wallet.

📱

Scammer identifier: Telegram hb369369

The scammer broadcast their Telegram handle via airdropped junk tokens ('Telegram:hb369369'). Additional junk tokens include ED, arpanetwork.online, overai.pro — fingerprints of this specific actor.

Address Intelligence

Entry WalletTLh8UmtzGZHeJuh6uY4zbxVFMBYkaoMpWg

Active since

Sep 2023

Total in

$2,071.37 USDT

Forwarded

98.7%

ConsolidatorTCCGrrofm6fhEYuKNus2P4HYtUiGAPdkFv

Wallet age

3+ years

Transactions

660 total

Remaining

2.49 USDT

Junk airdrop tokens: ED, arpanetwork.online, overai.pro, "Telegram:hb369369"

Top Downstream Destinations

TGWiaShuy7…KB13URRLFrequent recipient
TEqrBz3Yxf…CoLb454YRepeat destination
TDR4QCNdCA…A2QLxASuRepeat destination
TSTZvHEpx1…uUabsGuT$12,000 single tx

Upstream Feeder Wallets (Multi-Victim Ring)

TPAN5KoY…TUEiUaqj…TRFNtHVW…TFZbJH3H…

All feed into the same consolidator — confirming this is a coordinated multi-victim operation.

Recommendations

  1. 1

    Report Telegram handle hb369369 to Telegram abuse (abuse@telegram.org). Include this report as evidence. Telegram will investigate and suspend coordinated scam accounts on request from law enforcement.

  2. 2

    File a cybercrime report with FIA Cyber Crime Wing Pakistan (helpdesk@fia.gov.pk or NR3C). Attach this forensic report, your transaction ID, and all scammer communications. Case ID: CT-KHAWAR-001.

  3. 3

    Report consolidator address TCCGrrofm6fhEYuKNus2P4HYtUiGAPdkFv to Tether (stablecoin@tether.to) for USDT blacklisting. Tether Ltd has the on-chain power to freeze USDT at specific addresses. Requires a formal law enforcement request.

  4. 4

    All addresses in this report have been flagged in ChainTracing's scam database. Any future victim tracing these wallets will see them marked as confirmed scam infrastructure.

  5. 5

    Future safety: never approve unknown TRC20 token contracts in your wallet, verify recipient addresses independently before any transfer, and never interact with wallets that airdrop unsolicited tokens.

ChainTracing

Generated by ChainTracing Deep Trace · April 25, 2026

Prepared for Khawar Bhatti and the CCP Community

chaintracing.org

This report is provided for investigative and educational purposes. On-chain data sourced from Tronscan. ChainTracing does not guarantee recovery of funds.