⚠️ ACTIVE FRAUD — nanotrading.online is still live. Report Now →
Forensic Evidence Record

Evidence Board

All forensic evidence collected in investigation NTI-LEAVITT-2026-001. Document forgery, domain intelligence, regulatory database results, blockchain transaction evidence, and energy operator analysis. Every finding listed here is independently verifiable.

Document Forensics Domain OSINT Regulatory Search On-Chain Evidence Energy Analysis
Document Forensics Domain OSINT Regulatory Searches Blockchain Evidence Energy Operators Spam Token Analysis
Evidence Category 1

Document Forgery Forensics

The criminals sent two PDF documents to the victim as "official" proof of the investment account. PDF metadata analysis exposes the true origin of both files. This evidence is court-admissible and reproducible by any technical examiner.

EXHIBIT A — PDF METADATA
Investment Mandate Document
FORGERY CONFIRMED
Document Title Claimed"Official Investment Mandate"
PDF Creator FieldPyFPDF 1.7.2
PDF Producer FieldPyFPDF 1.7.2
Expected Creator (real firm)Microsoft Word, Adobe Acrobat, DocuSign
PyFPDF 1.7.2 LibraryOpen-source Python PDF generation, last updated 2012
Forensic Conclusion
A Python programmer created this document using an open-source library. It was not produced by any financial institution. The $1.2 million account referenced in this document does not exist.
EXHIBIT B — PDF METADATA
Account Statement Document
FORGERY CONFIRMED
Document Title Claimed"Investment Account Statement — $1,200,000"
PDF Creator FieldPyFPDF 1.7.2
PDF Producer FieldPyFPDF 1.7.2
Account Balance Shown$1,200,000.00 (entirely fabricated)
Same Library as Exhibit AYES — identical toolkit, same operation
Forensic Conclusion
Same library as Exhibit A confirms both documents were generated by the same operator using the same toolkit. The balance of $1,200,000 is a number typed into a Python script. There was never a real account.
How to Verify PDF Metadata — Step-by-Step

Method A — Windows File Properties

  1. Right-click the PDF file
  2. Select "Properties"
  3. Click the "Details" tab
  4. Look for "Authors," "Content Created," and "Program Name" fields
  5. If you see PyFPDF, FPDF, or any Python library — the document is forged

Method B — Adobe Acrobat

  1. Open the PDF in Adobe Acrobat or Reader
  2. Go to File → Document Properties (Ctrl+D)
  3. Click the "Description" tab
  4. Check "Creator" and "PDF Producer" fields
  5. A real financial institution will show Microsoft Word, Adobe Acrobat Pro, or similar professional software
Evidence Category 2

Domain OSINT — nanotrading.online

DOMAIN INTELLIGENCE
Still Live
Domainnanotrading.online
RegistrarHostGator / EIG / Newfold Digital
TLD Category.online (premium fraud domain preference)
Site ContentFake investment platform UI — portfolio, market data, withdraw fees
Critical FeatureWALLET DRAINER PRESENT
Site Status (Apr 4, 2026)STILL LIVE
Abuse Contactabuse.hostgator.com / security@hostgator.com
⛔ Wallet Drainer — Immediate Danger
nanotrading.online contains a page that asks visitors to "verify" their wallet by connecting MetaMask, TrustWallet, or similar. This is a seed phrase harvester — it is designed to steal your private key and drain your entire wallet.

If you connected a wallet to this site:
1. Immediately create a new wallet with a fresh seed phrase
2. Move ALL assets to the new wallet right now
3. Revoke all token approvals from the compromised wallet
4. Assume everything in the old wallet is compromised forever
REGISTRAR ABUSE PATH

HostGator is an ICANN-accredited registrar operating under Domain Abuse Response policies. Submitting an abuse report with our forensic documentation is required and can result in domain suspension.

Abuse Report Process

  1. Go to: https://www.hostgator.com/abuse
  2. Or email: security@hostgator.com
  3. Subject: Phishing/Fraud Domain — nanotrading.online
  4. Attach: This site's URL and the case PDF
  5. Include: Evidence that the site contains a cryptocurrency wallet drainer and is used in advance-fee fraud
Also Report to
Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish/ — will block the site in Chrome, Firefox, Safari
PhishTank: phishtank.org — community phishing database
ICANN UDRP: For domain cancellation (requires attorney)
Evidence Category 3

Regulatory Database Searches

Any legitimate investment firm managing client funds must be registered with financial regulators. We searched nine major databases. Not one registration was found for any variant of "Nanotrading Investment." This alone is disqualifying — operating an investment firm without registration is a federal crime.

Regulatory Body Jurisdiction Database Searched Search Terms Result Significance
SECUS FederalEDGAR + Investment Adviser Nanotrading Investment, NanoTrade, NTI Capital NO RECORD Cannot legally solicit US investors
FINRAUS FederalBrokerCheck Nanotrading, NanoTrade, Daniel Schumer NO RECORD Cannot legally operate as broker-dealer
CFTCUS FederalLabCFTC databases Nanotrading Investment LLC NO RECORD Cannot trade commodities/futures
FCAUnited KingdomFCA Financial Services Register Nanotrading* NO RECORD Not authorized to operate in UK
ASICAustraliaASIC Connect Nanotrading* NO RECORD Not authorized in Australia
MASSingaporeMAS Financial Institutions Directory Nanotrading* NO RECORD Not authorized in Singapore
SFCHong KongSFC Public Register Nanotrading* NO RECORD Not authorized in HK
UK Companies HouseUnited KingdomCompanies House Beta "Nanotrading" entities NO MATCH Not a registered UK company
SEC EnforcementUS FederalSEC EDGAR Enforcement Releases Nanotrading Investment SIMILAR PATTERNS FOUND SEC has prosecuted near-identical advance-fee schemes
What Zero Registrations Means Legally
Under US Federal law (Securities Act of 1933, Securities Exchange Act of 1934, Investment Advisers Act of 1940), any person or firm that solicits investments, manages client money, or charges fees related to investment services must be registered with the SEC, FINRA, or applicable state securities regulators. No registration = operating illegally. The fraud was illegal from the moment the first email was sent. This is a key element in SEC and DOJ prosecution of similar cases.
Evidence Category 4

On-Chain Evidence Summary

All blockchain data cited here is publicly verifiable on TronScan.org. No subpoena required — this data is permanent, immutable, and has already been preserved as evidence.

Key On-Chain Facts

$7,080 USDT Confirmed Received
8 TRC-20 USDT transfers to TGf5bSmBBUPAY7bhsGhmafeD8w19h6sLdb, May–Sep 2025. All verifiable on TronScan.
Rapid Sweep Pattern
Every deposit swept within 24–48 hours. This pattern is characteristic of professional fraud operations avoiding account freezes.
Bybit Gas — Same Day as Victim Payment
August 11, 2025: Bybit hot wallet sent TRX gas to fraud wallet on the exact same day the victim sent $1,000 USDT. Forensic evidence of real-time operational monitoring.
$483.88 USDT Still in Fraud Network
$116.94 in TSt36w9... + $366.94 in TLSptUx... = $483.88 confirmed fraud proceeds still held as of investigation date.
Two Independent KYC Exchange Paths
Bybit (gas sender) and Gate.io (energy delegator) are both regulated exchanges that hold the operator's real KYC identity. Either exchange can identify the fraud operator via law enforcement request.

USDT Contract Address

TRC-20 USDT CONTRACT
TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t
Tether USD (USDT) — TRC-20 token on TRON mainnet. All fraud payments were made in this token. Tether Ltd. has legal authority to freeze balances at this contract.

Method Signatures Identified

Method SignatureFunctionCount in CSV
a9059cbb transfer(address,uint256) — USDT transfer ~20 transactions
9ddf93bb DEX swap (likely SunSwap) ~6 transactions
095ea7b3 approve(address,uint256) — token approval ~4 transactions
(TRX transfer) Native TRX transfer — gas funding ~30+ transactions
DEX Swap Activity
DEX swap activity (9ddf93bb) on the fraud wallet indicates the operators converted some USDT to TRX or other tokens using a decentralized exchange. This is a money laundering technique — converting one token to another makes tracing harder. However, all swaps are still publicly visible on-chain.
Evidence Category 5

Energy Operator Analysis

TRON transactions require "energy" — a resource for contract execution. The fraud operation used both legitimate commercial energy services and a suspicious high-value dark market provider. This analysis reveals operational sophistication and a potential FinCEN referral target.

What is TRON Energy?

Unlike Ethereum (which uses gas paid in ETH), TRON uses an "energy" system for contract execution. Energy is obtained by "freezing" TRX, or it can be rented from energy market providers. Sophisticated TRON users rent energy rather than freeze their own TRX — it's cheaper and leaves a lighter trace.

The fact that this fraud operation used energy rental services is evidence of TRON sophistication — the operators know TRON well. This is consistent with an organized operation that runs multiple wallets and campaigns simultaneously.

GasFree4uCOM — Commercial Energy Service

Token NameGasFree4uCOM
Amount Received35.33 tokens (airdropped to fraud wallet)
ClassificationCommercial TRON energy rental service
StatusLegitimate commercial service (not itself criminal)
SignificanceShows operator awareness of TRON energy market; consistent with experienced TRON users

Target: Dark Energy Market Operator

⚠️ CRITICAL FINDING — FinCEN Referral Target
Wallet TCvnWqQ2hFqqHFjpcCyRDZYb261G6WYdo4 holds approximately $27.3 million in TRX (~7.5 million TRX) and appears to provide energy on a large scale to hundreds of wallets, including wallets associated with this fraud. This wallet may constitute an unlicensed Money Services Business (MSB) under the Bank Secrecy Act, providing financial services to criminal organizations without FinCEN registration.
DARK ENERGY MARKET ANALYSIS
Wallet AddressTCvnWqQ2hFqqHFjpcCyRDZYb261G6WYdo4
TRX Balance$27,300,000+ (~7.5M TRX)
Activity PatternMass delegated energy to hundreds of wallets
Connection to CaseEnergy provided to fraud-associated wallets
Potential ViolationFinCEN MSB registration (31 CFR 1022)
Referral TargetFinCEN, FinCEN SAR filing recommended
Evidence Category 6

Spam Token Analysis

Four unsolicited "spam tokens" were airdropped to the fraud collection wallet. While these airdrops are not criminal by themselves, they provide forensic intelligence about the wallet's presence in the TRON ecosystem and the types of services that interact with active fraud wallets.

Token Name Amount Received Nature Forensic Significance
HASH8NET 888.8 tokens Spam/advertisement airdrop Contains embedded phishing link — secondary criminal activity in same ecosystem
tron.ink 1,000,000 tokens Advertising spam 1M token airdrop = attention grab; confirms wallet was "known" to TRON spammers as active
Pay.bi 8,888.88 tokens Payment service advertisement Numerology pattern (8888) common in China-adjacent crypto operations
GasFree4uCOM 35.33 tokens Commercial energy rental Legitimate energy service; fraud operator may have also purchased energy from this provider
What Spam Token Patterns Tell Us
The Chinese numerology pattern (888 / 8888.88) in the Pay.bi airdrop, combined with the Southeast Asia operational profile assessment, aligns with organized TRON fraud operations originating from China, Southeast Asia, or Chinese-diaspora criminal networks. This is not conclusive but is consistent with the broader intelligence picture.