In Investigation #1 we mapped the marketplaces. Now we follow the money. Three escrow contracts handle a clear majority of the clone-shop volume we observed in March-April 2026, and the wallet clusters around them tell a more boring story than the headlines suggest.
Method, in plain language
We started with twelve known clone-shop storefronts and one Telegram broker who advertises openly. We tagged the deposit addresses, walked the on-chain graph two hops in each direction, and clustered by co-spending and shared off-ramp endpoints. The labels we use here are conservative: we only call a wallet a "shop wallet" when at least two of three signals match (storefront-listed deposit, escrow co-spend, identical off-ramp pattern).
The three escrow contracts
- Contract A - a generic milestone-escrow contract on TRON, deployed in Q3 2024, used by at least seven of the twelve shops. It is the most boring of the three: short release windows, simple disputes, no special abuse handling.
- Contract B - a fork of a real freelance-marketplace escrow with the dispute role reassigned to a hot wallet that votes for the seller in 94% of disputes we observed.
- Contract C - the newest of the three, deployed in February 2026. Notable because it adds a "review-grade" mechanism: buyers stake to leave a rating, the rating is on-chain, and the staked amount funds a pool that pays a referrer.
Where the money goes
The off-ramp pattern is dull and consistent. Funds leave the escrow contract, sit briefly in a hot wallet, get split into 4-7 outgoing transfers in the same minute, and end up at three places: a Tier-2 exchange in Eastern Europe, an OTC desk in the UAE, and a bridge to a chain whose anti-laundering controls are weaker. The exchange tier and the OTC desk together handle ~78% of observed volume.
Geography we can defend
We will not name people. We can say with confidence that the operator clusters concentrate in three time zones (Eastern Europe, South Asia, parts of West Africa), based on co-spend timing and the activity windows of human-in-the-loop messages from the broker. The clones, importantly, are not made in those time zones - the GPU work is rented from large commodity providers and the bills are paid in fiat.
What this changes for defenders
Three things. First, KYC vendors should treat Contract C's on-chain rating system as a leading indicator of which shops are scaling. Second, exchanges should re-tag any deposits that move through the eight bridge endpoints we will provide on request. Third, platforms should stop blocking individual cloned faces and start blocking the metadata of the upload patterns, which are far more stable than the faces themselves.
Coming next
Investigation #3 will look at the buyers - who actually pays for these clones and how their KYC submissions look from the inside. We are working from a leaked sample of 1,400 attempts. Drop the desk a tip.