This site is the official public record of a forensic investigation into a professional cryptocurrency advance-fee fraud operation. The perpetrators fabricated investment accounts, stole $36,150 from a single confirmed victim, and are actively targeting more people right now. Every fact here is documented, on-chain, and court-admissible.
This is a public forensic investigation record maintained by the FTH Digital Forensics Unit. We document cryptocurrency fraud using blockchain analysis, document forensics, and open-source intelligence (OSINT). All findings are published here so that victims, lawyers, law enforcement, and exchanges have a single verified source of truth.
The fraud this site covers: An organized criminal group operating as "Nanotrading Investment" contacted victims claiming they were owed a large investment account. To receive the money, victims were told they needed to pay fees in USDT cryptocurrency. The fees never stop — every payment generates a new excuse for another payment. The investment account does not exist.
We have traced every USDT transaction, identified the exchanges the criminals used, built a complete legal brief, and produced professional documents ready for FBI, SEC, and exchange compliance submission. Everything you need to build a case is on this site.
PyFPDF 1.7.2 Python library — not a financial institutionSix sections, built for victims, lawyers, and law enforcement. No technical knowledge required.
How the fraud works, who is behind it, all three personas analyzed, entity intelligence, and the full timeline from May 2024 to present.
All 14 identified wallets with roles, current balances, TronScan links, and direct links to file ChainAbuse reports for every address.
Document forensics (PDF metadata), regulatory database results, domain OSINT, transaction timeline, and energy operator analysis.
Applicable federal statutes, regulatory filing targets, civil recovery theory, draft exchange compliance letters, and Tether freeze templates.
Step-by-step guide for victims and advocates. Where to file complaints, who to contact, and what to say. Direct links to FBI, FTC, SEC, ChainAbuse and more.
Professional PDFs ready for law enforcement, attorneys, and exchange compliance teams. Full case package, legal brief, and wallet trace — all formatted for submission.
This fraud follows a documented global pattern used by organized criminal groups, particularly from Southeast Asia. Here is the exact script they use, step by step.
The victim is contacted out of nowhere, usually via messaging app or email. The message claims that a deceased relative, former business partner, or stranger has left behind a large investment account — and the victim has been designated as the new beneficiary. In this case, a person named "Mark Johnson" allegedly left $1.2 million in an account.
To appear legitimate, the criminals send professional-looking PDF documents: an "Investment Mandate" letter and a detailed "Account Statement" showing the $1.2 million balance. These documents look real. They have letterheads, case numbers, and official formatting. They are completely fake. Our forensic analysis confirmed both PDFs were generated by a Python programming library called PyFPDF — the same tool a developer uses to make receipts. A real financial institution uses bank-grade document management software, not open-source Python scripts.
Once trust is established, the "account manager" (in this case: Daniel Joseph Schumer) explains that international financial regulations require a 5% clearance fee — approximately $60,175 — before the funds can be released. This must be paid as USDT cryptocurrency to a specific TRON wallet address. This is the core of the fraud. No legitimate institution charges a percentage-of-account fee to release funds to a beneficiary.
After the first payment, a new problem arises. Then another. Then another. The victim had already paid $36,150 and was being asked for more. Each new fee comes with a new fake document — a "debit memo," an "insurance requirement," a "tax clearance." The excuses are carefully engineered to feel believable. The real pattern: the demands never stop until the victim has no more money to send.
Once a victim stops paying or becomes suspicious, the operators sweep all collected USDT through a chain of wallets to obscure the trail, then abandon the fraud collection wallet and move on to new victims under a new brand name. The wallet used for this case ($7,080 total) was swept clean and abandoned on September 10, 2025. The operators have been running new campaigns ever since.
We identified and classified 14 wallets involved in this fraud. Here are the five most critical.
Two regulated exchanges — Bybit and Gate.io — hold KYC records for the accounts that fed money into this fraud. A law enforcement letter or attorney subpoena to either exchange will reveal the real name, passport, and contact details of the fraud operator. The draft letters are ready and on this site.
View Draft Letters →