Case NTI-LEAVITT-2026-001
This report contains privileged forensic intelligence.
Enter your access code to proceed.
Complete reconstruction of cryptocurrency advance-fee investment fraud targeting William Leavitt
Fraudsters fabricated "Nanotrading Investment Company" (Seychelles) and told William Leavitt a $91,047,486.66 investment account was being transferred to him from "Mark Johnson" via agent "Wang Hoffmann."
They created fake legal documents — an Ownership Transfer Statement and Power of Attorney references — using PyFPDF 1.7.2 (a free Python library). Real financial institutions use enterprise PDF systems.
A "5% clearance fee" of $60,175.15 plus a "flat admin fee" of $9,650 = $69,825.15 total. Payment required in USDT (TRC-20) — irreversible cryptocurrency sent to wallet TGf5bSmB...Ldb.
Leavitt paid $36,150 over months. Operators swept $7,080 USDT on-chain through 9 criminal sink wallets and a DEX swap. The fraud wallet was cleaned to $0 by September 10, 2025.
Five months after abandoning the wallet, a new Account Statement created with CorelDRAW X8 (Feb 27, 2026 at 2:30 AM UTC+2) shows $36,150 paid and demands $33,675 more. The extortion continues.
| Type | Advance Fee Investment Fraud — Fabricated Account Statement Variant |
| Sub-type | Ownership Transfer Grooming + Fee Escalation Extortion |
| Confidence | >99% |
| Network | TRON Mainnet (TRC-20 USDT) |
| Fraud Wallet | TGf5bSmBBUPAY7bhsGhmafeD8w19h6sLdb TronScan ↗ |
| Operational Window | May 8, 2025 – September 10, 2025 (125 days) |
| Current Status | WALLET SWEPT — EXTORTION ONGOING |
How a sophisticated advance-fee fraud operation targeted and exploited William Leavitt
This is the story of how an organized criminal operation used fabricated documents, fake identities, and cryptocurrency to steal $36,150 from William Leavitt — and then demanded $33,675 more. Here's how it unfolded, step by step.
A website called "Nanotrading Investment Company" appeared at nanotrading.online, claiming to be a Seychelles-based investment firm managing over $2.5 billion for 50,000+ users.
The site was convincing at first glance — professional layout, claims of SOC 2 certification, and even a Florida phone number. But beneath the surface, none of it checked out. No SEC registration, no FINRA license, no Seychelles FSA filing. The domain was brand new — registered May 21, 2025 — despite the site claiming a 2024 copyright.
Most dangerously, the site asked users to log in with their cryptocurrency seed phrase — a critical secret that gives full access to a wallet. No legitimate platform ever asks for this. It was a built-in wallet drain mechanism.
William received a document — EVD-003, the "Ownership Transfer Statement" — claiming that a person named "Mark Johnson" had transferred a $91 million investment account to him through agent "Wang Hoffmann" under Power of Attorney.
This was completely fabricated. The document was generated with PyFPDF 1.7.2, a free Python library, at just 2,782 bytes — roughly 100x smaller than any real financial document. No Power of Attorney was ever produced. "Mark Johnson" is a phantom who exists nowhere. "Wang Hoffmann" — an impossibly unlikely Chinese-German name — has no SEC or FINRA registration.
But for William, the possibility of a $91 million windfall was too compelling to dismiss without investigation. The hook was set.
Sixteen days later, "Daniel Joseph Schumer" sent EVD-001 — the "Final Payment Confirmation." It demanded $69,825.15 in USDT to be sent to TRON wallet TGf5bSmBBUPAY7bhsGhmafeD8w19h6sLdb.
The breakdown: a "5% clearance fee" of $60,175.15 plus a "flat administrative fee" of $9,650. Classic advance-fee structure — make the victim believe they're paying a small percentage to unlock a massive return.
The document was signed simply as "Best regards, Daniel" — no title, no credentials, no company letterhead. Who signs off on $91 million with just a first name?
William began sending cryptocurrency. Over a 5-day period in August 2025, three deposits arrived at the fraud wallet from Bybit exchange:
Total on-chain from Bybit: $1,880 USDT. But William reports paying a total of $36,150 — meaning $34,270 was sent through other channels we haven't yet traced (possibly direct Bybit internal transfers or other wallets).
These Bybit transactions are the strongest identification lead in this case, because Bybit requires KYC verification. The person who sent these funds has their real identity on file at the exchange.
Within hours of receiving the funds, the criminals began moving them. The USDT was rapidly split and routed through a network of 9 sink wallets in a classic layering pattern designed to break the trail.
The largest chunk — $3,780 (53.4%) — went to TSt36...JTzK (PRIMARY-SINK). Some flowed through a DEX swap to convert USDT to TRX, making it harder to trace. Another portion hit LARGE-SINK (TLSpt...uMyh), which we've linked to Gate.io exchange — giving law enforcement a second KYC subpoena target.
Behind all of this sits the OPERATOR wallet (TCvnW...Ydo4) — a TRX energy delegator with $27.3 million staked. This entity provides the gas fees that keep the fraud wallet operational. It's the infrastructure backbone of the operation.
Eight months after the first payment, the fraudsters struck again. A new document appeared — EVD-002, the "Account Statement" — this time created in CorelDRAW X8 at 2:30 AM. A different software tool from the earlier documents, suggesting either a different operator or an upgrade in their fabrication capabilities.
The document showed a fake balance of $91 million, confirmed the $36,150 already paid, and demanded an additional $33,675 to "complete the clearance process." The leaked metadata title — "document design'.cdr" — revealed the file's true nature: a graphic design project, not a financial instrument.
This is textbook double-dip extortion: once a victim pays, they're moved to a "suckers list" and hit with additional demands under the premise that the only way to recover what they've already lost is to pay more.
FTH Digital Forensics analyzed every on-chain transaction, deconstructed the fabricated documents, verified the personas against regulatory databases, mapped the fund flow network, and identified multiple actionable leads.
The money trail is clear. The documents are provably fake. The next step is law enforcement action — Bybit KYC subpoena, Gate.io account records, and Tether freeze request.
Complete chronological reconstruction — all events from infrastructure setup to active extortion
Wallet TYASr5UV... sends to fraud wallet. First victim payment activates the operation.
First outbound dispersal to THE77zEf.... Laundering begins within 2 days.
Funds flow to PRIMARY-SINK (TSt36w9e...) and SINK-3. Systematic fragmentation.
Single massive transfer to TLSptUxe.... Largest individual transaction in the fraud wallet's history.
HostGator nameservers, Alibaba Cloud registrar, WHOIS privacy proxy. Domain created after fraud already started.
Generated with PyFPDF 1.7.2 (Python). Claims "Mark Johnson" → William Leavitt transfer of $91M account. 7 days after domain registration.
PyFPDF 1.7.2 — demands $69,825.15 in USDT to wallet TGf5bSmB.... "5% clearance fee" + "flat admin fee". Classic advance fee demand.
Wallet TQrY8try... deposits $1,400 — confirming multiple victims targeted simultaneously.
Funds dispersed to SINK-6, SINK-2, and PRIMARY-SINK within days of receipt.
KYC-VERIFIED — TU4vEruv... (Bybit). TxID: 94586abe0d40.... Identity obtainable via subpoena.
TxID: 7cdbb648.... Second transfer in 48 hours from same KYC exchange account.
TxID: cc1fa202.... Three Bybit withdrawals in 5 days = $1,880 total. Operator seeding the wallet.
Daily/bi-daily sweeps to PRIMARY-SINK and SINK-3. Operator systematically draining remaining balance.
Approve + swap through TPwezUWp.... Laundering through a decentralized exchange to break the trail.
Last USDT transaction ever from fraud wallet. TYPZ3n6t... receives the final tranche.
Even the TRX dust is swept to TSt36w9e.... Fraud wallet balance: $0.00. Operation cold.
CorelDRAW X8 (different tool from previous docs). Created at 2:30 AM local time. Shows $36,150 paid, demands $33,675 more. 5+ months after the original fraud wallet was abandoned. Metadata title: "document design'.cdr" — leaked internal filename.
Case NTI-LEAVITT-2026-001 opened. All evidence analyzed, on-chain fund flow reconstructed, 14 wallets identified, 88 transactions traced.
Complete on-chain money map — TRON Network, USDT TRC-20, May–September 2025
What this means: The TRON network uses an "energy" system for transaction fees. The OPERATOR wallet delegated TRX energy to PRIMARY-SINK, allowing it to execute USDT transfers without burning TRX directly. This proves operational control — OPERATOR and PRIMARY-SINK are controlled by the same entity.
The OPERATOR wallet (TCvnWqQ2...) is revealed as a $27.3 million commercial TRON energy rental service with 7.7 million transactions — meaning it serves hundreds of fraud campaigns globally.
All 14 identified wallets with roles, balances, and threat levels
| # | Label | Address | Role | USDT | Threat | Link |
|---|---|---|---|---|---|---|
| 1 | FRAUD-COLLECT | TGf5bSmBBUPAY7bhsGhmafeD8w19h6sLdb |
Primary fraud collection | $0 (swept) | CRIME | ↗ |
| 2 | PRIMARY-SINK | TSt36w9edfNJaCQs433MyUNeHYBajoJTzK |
Criminal aggregation | $116.94 | FREEZE | ↗ |
| 3 | LARGE-SINK | TLSptUxetSpjB8xRS6QrnJwuBY7Q7cuMyh |
Major criminal sink | $366.94 (Gate.io) | CRIME | ↗ |
| 4 | SINK-2 | TCnJ7ngFdc639YumMhkJ1nR8RW5s7DUHNA |
Active cycling sink | Unknown | ACTIVE | ↗ |
| 5 | SINK-3 | TUdBsLvbDuEEAyRhnAzSXqx6FJ9ywzrQNY |
Criminal sink | Unknown | CRIME | ↗ |
| 6 | SINK-4 | THE77zEfCZN2ojLvcWNEwK5y9nDdJ49xjj |
Energy market / unknown | Unknown | INVESTIGATE | ↗ |
| 7 | SINK-5 | TVGQvvXTSv3PPdjGnGDnCPgzeTsvQYAqMK |
Criminal sink | Unknown | CRIME | ↗ |
| 8 | DEX-SWAP | TPwezUWpEGmFBENNWJHwXHRG1D2NCEEt5s |
Laundering hop (DEX) | Unknown | LAUNDER | ↗ |
| 9 | FINAL-SWEEP | TYPZ3n6tdhdHkv9sEYDe4Ry2XhGcPwmkqy |
Terminal sweep | Unknown | CRIME | ↗ |
| 10 | SINK-6 | TXB1iN9nd4YwscUzyjvxRtPQ1B91diQPtE |
Criminal sink | Unknown | CRIME | ↗ |
| 11 | OPERATOR | TCvnWqQ2hFqqHFjpcCyRDZYb261G6WYdo4 |
Energy delegator / Dark market | $27.3M staked | OPERATOR | ↗ |
| 12 | BYBIT-HOT | TU4vEruvZwLLkSfV9bNw12EJTPvNr7Pvaa |
Bybit Exchange Hot Wallet | $235M+ | KYC | ↗ |
| 13 | VICTIM-1 | TYASr5UV6HEcXatwdFQfmLVUqQQQMUxHLS |
Probable first victim | Unknown | VICTIM | ↗ |
| 14 | VICTIM-2 | TQrY8tryqsYVCYS3MFbtffiPp2ccyn4STm |
Probable second victim | Unknown | VICTIM | ↗ |
compliance@bybit.com.
| # | Date (UTC) | Amount | Transaction Hash | Verify |
|---|---|---|---|---|
| 1 | 2025-08-21 21:20:06 | $1,000 USDT | 94586abe0d40514a9c434aeadaf52d4d0585cb68ee894ed0ef3340a51b5518f3 |
TronScan ↗ |
| 2 | 2025-08-23 11:51:48 | $400 USDT | 7cdbb648380128376dcb1b21fc1c01e4d25760461a7f863876b4774535b9fc44 |
TronScan ↗ |
| 3 | 2025-08-25 19:49:27 | $480 USDT | cc1fa202fdb21608e40844cd5771ae7c4d0de149beeb4f716a6fd6f61592bad0 |
TronScan ↗ |
Fabricated documents analyzed — PDF metadata, creation tools, and anomaly detection
Demands $69,825.15 in USDT to wallet TGf5bSmB...Ldb. Breakdown: "5% clearance fee" ($60,175.15) + "flat administrative fee" ($9,650).
Shows fake balance of $91M, confirms $36,150 already paid, demands $33,675 more. Active extortion document.
"document design'.cdr" — leaked internal design filenameClaims "Mark Johnson" → William Leavitt transfer of $91M account via agent "Wang Hoffmann" under Power of Attorney. The grooming document.
| Feature | Real Financial Document | These Documents |
|---|---|---|
| PDF Generator | Adobe InDesign, SAP, Oracle, or enterprise system | PyFPDF 1.7.2 (free Python), CorelDRAW X8 (graphic design) |
| File Size | 100KB – 5MB (logos, formatting, compliance footers) | 2.2KB – 474KB (minimal content or design artwork) |
| Signatures | Full name, title, professional certifications, digital signature | "Daniel" (casual first name only), unnamed "CFO" |
| Regulatory References | FINRA, SEC, FSA filing numbers; legal disclaimers | None — zero regulatory filings or license numbers |
| Payment Method | Bank wire, ACH, regulated payment processor | Cryptocurrency (USDT TRC-20) — irreversible |
| Account Numbers | Masked/partial, with IBAN or routing numbers | Full TRON wallet address — unmasked blockchain address |
| Creation Time | Business hours, automated batch generation | 2:30 AM local time — individual manual creation |
All fabricated identities, verification results, and relationship mapping
Signs EVD-001 and EVD-003. Uses casual "Best regards, Daniel" sign-off for a purported $91M transaction. Created both PyFPDF documents within 16 days. Fabricated persona.
"Wang" (Chinese/Korean) + "Hoffmann" (German) — extremely unusual fabricated combination. Referenced only to authorize fictitious $91M transfer. Fabricated persona.
The alleged source of the $91M account. Extremely common name chosen to be unfindable. No supporting records anywhere. Fictitious individual.
Part of a CorelDRAW graphic. A real CFO signing a $91M statement would have full name, credentials, and verifiable digital signature. Fabricated authority figure.
| Verification Check | Result |
|---|---|
| SEC EDGAR Registration | NOT FOUND |
| FINRA BrokerCheck | NOT FOUND |
| Seychelles FSA License | NOT FOUND |
| Domain Age | 10 months (registered May 21, 2025) |
| Website Claims | "$2.5B+ TVL", "50K+ users", "SOC 2 Certified" — ALL UNVERIFIABLE |
| Seed Phrase Login | CRITICAL — WALLET DRAIN VECTOR |
| Phone (+1) 850-996-0284 | Florida panhandle area code — inconsistent with Seychelles company |
| Copyright "© 2024" | Predates actual domain registration by 1+ year — IMPOSSIBLE |
All 88 on-chain transactions for fraud wallet TGf5bSmBBUPAY7bhsGhmafeD8w19h6sLdb
| Time (UTC) | Tx Hash | Dir | From | To | Amount | Token | Method | Result |
|---|
The fraud wallet received TRX (TRON's native token) to pay for USDT transfer gas fees. Significant TRX deposits (>1 TRX) came from these sources:
| Date | Source | Amount | Significance |
|---|---|---|---|
| May 10 | TU4vEruv... (Bybit Hot) | 15.00 + 40.12 TRX | Bybit operator funded gas |
| May 15 | TJDENsfB... | 54.09 TRX | External gas funder |
| May 20-21 | TU4vEruv... (Bybit Hot) | 45.95 + 36.00 TRX | Repeat Bybit gas funding |
| Aug 11 | TU4vEruv... (Bybit Hot) | 56.59 TRX | Bybit gas during campaign |
| Aug 23 | TU4vEruv... (Bybit Hot) | 26.30 TRX | Bybit gas after deposit |
| Aug 31 | TJDENsfB... | 45.00 TRX | External gas for liquidation |
| Sep 4 | TDqSquXB... | 29.00 TRX | Third gas source — broader network |
| Sep 8 | TYASr5UV... (VICTIM-1!) | 32.41 TRX | Victim sent TRX too — confirms fraud |
Master evidence inventory with SHA-256 integrity hashes and chain of custody
Confirm no further payments sent. Warn of ongoing extortion risk.
compliance@bybit.com — 3 withdrawal TxIDs provided. Identity on file.
compliance@gate.io — LARGE-SINK wallet linked to Gate.io, $366.94 remaining.
compliance@tether.to — PRIMARY-SINK holds $116.94 confirmed proceeds.
HostGator abuse — nanotrading.online seed phrase login is an active wallet drain vector.
TCnJ7ngFdc sweeps every ~13 days. Next expected sweep: ~April 7, 2026.
Complete breakdown of forensic methodologies, tooling, and deliverables produced
Deep forensic examination of 3 fabricated documents provided by the fraud operation
Extracted producer, creator, timestamps, file sizes, and SHA-256 hashes from all 3 evidence PDFs
Identified PyFPDF 1.7.2 (free Python library) as the generator for 2 documents — proves non-enterprise origin. Identified CorelDRAW X8 as creator of fake account statement with leaked source file reference document design'.cdr
Confirmed $91M account balance is a graphic design fabrication. Cross-referenced metadata timestamps, author fields, and editor artifacts
All evidence SHA-256 hashed with full chain of custody documentation for court admissibility
Complete TRON blockchain analysis of the fraud wallet and all connected addresses
Full extraction and classification of every transaction involving fraud wallet TGf5bSm...sLdb
Mapped entire fund flow network: fraud collection, primary sink, 9 criminal sinks, exchange hot wallets, DEX swap addresses, victim wallets
Traced $7,080.61 USDT through multi-hop dispersal pattern to 9 destination wallets with complete flow mapping
Identified OPERATOR wallet (TCvnWqQ...) with $27.3M staked TRX providing energy to fraud wallet — links to professional operation
Identified 3 Bybit withdrawal transactions (KYC-verified accounts) and Gate.io as secondary exit route — actionable for law enforcement subpoena
Open source intelligence gathering and fake identity verification
Verified "Daniel Joseph Schumer," "Wang Hoffmann," "Nanotrading Investment Company," and associated identities as entirely fabricated
Investigated nanotrading.online — confirmed seed phrase entry page as active wallet drain vector. Traced hosting to HostGator
Documented phone numbers, email addresses, and communication patterns used by fraud operators
Categorized the operation as a multi-stage advance fee fraud with investment scam overlay — matched to known criminal typologies
13 comprehensive forensic documents produced for client, legal, and law enforcement use
Executive Summary, Evidence Inventory, Wallet Analysis, Transaction Deep-Dive, Fund Flow Analysis, Fraud Pattern Analysis, Website Infrastructure, Law Enforcement Package, Intelligence Assessment, Risk Advisory, Recommendations, Evidence Board
Ready-to-file packages for FBI IC3, FTC, SEC, Tether Compliance, Bybit, Gate.io, and HostGator with specific filing instructions
Detailed recommendations for immediate victim protection, wallet security, and ongoing monitoring
Custom-built secure web application for evidence presentation and client delivery
Overview, Victim's Story, Timeline, Fund Flow, Wallet Analysis, Documents, Personas, Transaction Explorer, Evidence Board
88 transactions with search, filter, sort, TronScan deep-links, and wallet label tooltips
Password-protected client access with encrypted authentication gate
Full print stylesheet for physical evidence filing and legal presentation
UnyKorn Digital Forensics — Professional Services
| Service | Description | Hrs | Rate | Total |
|---|---|---|---|---|
| Document Forensics | PDF metadata extraction, tool fingerprinting (PyFPDF, CorelDRAW), fabrication analysis, SHA-256 chain of custody on 3 evidence documents | 6 | $350 | $2,100 |
| On-Chain Wallet Tracing | Complete TRON blockchain analysis — 88 transactions, 14 wallets mapped, fund flow reconstruction through 9 dispersal sinks | 14 | $350 | $4,900 |
| Energy Delegation & Operator Analysis | Identified $27.3M staked OPERATOR wallet providing TRX energy to fraud wallet — links to professional criminal infrastructure | 4 | $350 | $1,400 |
| Exchange Identification | Identified 3 Bybit withdrawal hashes (KYC-verified) and Gate.io as secondary exit — actionable subpoena targets | 5 | $350 | $1,750 |
| OSINT & Persona Investigation | Verified 4 fake personas as fabricated, domain/infrastructure analysis on nanotrading.online, communication channel mapping | 6 | $350 | $2,100 |
| Fraud Pattern Analysis | Classified operation as multi-stage advance fee fraud with investment scam overlay, matched to known criminal typologies | 3 | $350 | $1,050 |
| Report Production — 13 Documents | Executive Summary, Evidence Inventory, Wallet Analysis, TX Deep-Dive, Fund Flow, Fraud Pattern, Website Infrastructure, LE Package, Intel Assessment, Risk Advisory, Recommendations, Evidence Board | 18 | $350 | $6,300 |
| Law Enforcement Packages | Ready-to-file submission packages for FBI IC3, FTC, SEC, Tether, Bybit, Gate.io, and HostGator — 7 packages total | 6 | $350 | $2,100 |
| Interactive Forensic Platform | Custom-built 9-section secure web presentation — real-time TX explorer, fund flow visualization, victim narrative, print export, secure access portal | 16 | $350 | $5,600 |
| Risk Advisory & Victim Guidance | Immediate protection recommendations, wallet security guidance, ongoing monitoring advisory, next-steps consultation | 4 | $350 | $1,400 |
| 82 | Subtotal | $28,700 | ||
| Case Discount | -$0.00 | |||
| TOTAL DUE | $28,700.00 | |||
How this investigation compares to industry-standard pricing from leading blockchain forensics firms
Wire transfer, ACH, or cryptocurrency (USDT/USDC) accepted
All 13 forensic reports delivered. Interactive platform deployed. Law enforcement packages ready for filing.
All case materials handled under strict NDA. Evidence integrity maintained with SHA-256 verification throughout.
Available for deposition or court testimony at standard expert witness rates if case proceeds to litigation.