Add 3 ETH addresses from stolen-funds laundering trail (STG GROUP AG / VQF Member 100702)

[gg3971]

Summary

Adding 3 Ethereum addresses observed laundering proceeds from a stolen-customer-funds event traced 2026-05-04 to 2026-05-08. Reported by STG GROUP AG (Swiss VASP, VQF Member 100702 under FINMA/VQF SRO oversight) acting in AML/CFT capacity.

Addresses

• 0x118c80bd57d89df96a7dc4f6c096ac07d35fefea (primary laundering wallet)
• 0x14a88277239dcf197408861465ef0409168f0fa6 (hop 1)
• 0xa09a78a79146b8f0d920886e7817cb0b918075a4 (hop 2)

On-chain evidence

• 2026-05-04 14:58 UTC - 105,290.33 USDT received at primary laundering wallet from victim under false pretences. Followed by 1-USDT probe + confirmation pattern consistent with manually operated laundering.
• 2026-05-05 03:17 UTC - USDT swapped to DAI via Uniswap V4 (tx 0xeccac2726663de3fff6c7a5a668660a239d41700023d4932e1bf737695a074d0)
• 2026-05-08 10:37 UTC - 530,000 DAI moved through 3-hop chain (tx 0xc212fa0e6b975c1cd3e8f43f6cbd5de61af4c8144ba3acd4bd30b77b5d019f50)
• Funds then routed via THORChain Router v4.1.1 (legitimate cross-chain protocol) to BTC destination bc1q986dy509crwj2ylp0vp5t7zqls2yfmx6lwn4rm. THORChain Router itself NOT included in this PR (false-positive risk: protocol used by thousands daily).

Cross-reports filed in parallel

• Chainabuse: 4 reports submitted, IDs:
  • 03481efd-c709-464b-b31c-ae903a0270d3 (primary laundering wallet)
  • ad69c664-134e-42d0-8262-7d605695b72b (hop 1)
  • 88864653-00c6-4302-a2b6-341081c2e5c8 (hop 2)
  • 4955d98d-d4f1-4968-bba2-ded88e15a28d (BTC destination bc1q986dy...)
• Nine Realms (THORChain ops, security@ninerealms.com): notified 2026-05-08
• Etherscan phishing-tag request: filing in progress

Reporter

• STG GROUP AG (Stablegate)
• Swiss VASP, CHE-282.984.669
• VQF Member 100702 (FINMA/VQF SRO oversight)
• MLRO contact: gk@stablegate.com

Rationale

Pattern: split-forward-consolidate within minutes of source compromise, terminal asset DAI (deliberately freeze-resistant since DAI cannot be issuer-frozen unlike USDT/USDC), THORChain off-ramp to Bitcoin. Flagging here protects MetaMask / Phantom / Rabby / Coinbase Wallet / OpenSea users from inadvertent interactions with these wallets while investigation is ongoing.

[gg3971]

Update 2026-05-08 evening UTC — operator continued movement after initial PR. Added 4 more ETH vanity-prefix lookalikes to the blacklist:

• 0x14ada450c3ce69a9e7fcdd359844c2af448f0fa6 (received 530,000 DAI)
• 0x14a8efd96e1697013286728500857d77b0980fa6 (probe wallet, received 2.6k DAI)
• 0x14a8109a03cf643c0f5759d09b3d8cb63bd70fa6 (received 530,000 DAI)
• 0xa09a23b5742f227507e897718f583e67678d05a4 (received 89,650 DAI from hop 1)

Operator pattern: creating multiple parallel vanity-prefix wallets to fragment the trail. All ending in same hex suffix as the original active hops.

Also: the BTC destination from the original report (bc1q986dy509crwj2ylp0vp5t7zqls2yfmx6lwn4rm) has now been emptied — 6.6315 BTC moved to 2 new BTC operator addresses (out of scope for this EVM blocklist but reported separately to Chainabuse + 7 partner abuse channels).

Cross-reports updated: Chainabuse 6 new IDs filed 2026-05-08 evening (9382de35-e5ee-4f59-86ea-02afc4479e03 + 5 more).