Complete forensic analysis of the Nanotrading Investment fraud operation — suspect personas, document forgery evidence, entity intelligence, fund flow mapping, and group activity assessment.
This investigation concerns an organized cryptocurrency fraud operation that identified itself as "Nanotrading Investment" — an entity with no regulatory registration of any kind, no SEC filing, no FINRA record, no foreign regulatory authorization, and no legitimate business structure.
The scheme is a textbook advance-fee investment fraud with cryptocurrency payment rails. The victim was told he was the beneficiary of a $1.2 million investment account previously owned by a deceased/departing account holder named "Mark Johnson." To receive the funds, he would need to pay a series of fees — termed a "5% clearance fee," amounting to approximately $60,175.
The victim paid a total of $36,150 in USDT cryptocurrency across multiple transactions before becoming suspicious and halting further payment. Our investigation traced $7,080 of the payments to on-chain TRON wallets and mapped the complete disbursement network.
The operation is assessed as still active. Funds continued cycling through identified sink wallets as recently as March 25, 2026. The fraud website nanotrading.online remained live as of the April 4, 2026 investigation date.
| Case Number | NTI-LEAVITT-2026-001 |
| Case Type | Advance-Fee Investment Fraud |
| Payment Method | USDT (TRC-20) on TRON |
| Total Claimed Stolen | $36,150 USD |
| On-Chain Traced | $7,080 USDT (8 transactions) |
| Wallets Identified | 14 (4 crime, 4 exchange, 6 operator) |
| Estimated Start Date | May 2024 (based on domain registration) |
| Fraud Collection Active | May 10 – September 10, 2025 |
| Operation Last Active | March 25, 2026 (sink cycling) |
| Fraud Website | nanotrading.online (still live) |
| Confirmed Exchanges | Bybit, Gate.io |
| Entity Variants Identified | 13 (Nanotrading, Nanotrade, etc.) |
| Designation | Primary Victim / Complainant |
| Case Reference | LEAVITT in NTI-LEAVITT-2026-001 |
| Total Paid | $36,150 USD |
| Payment Method | USDT via TRON network |
| Contact by Fraud | Messages referencing "Mark Johnson" account |
| Fraud Personnel | Daniel Joseph Schumer (primary); Emily; Kristin |
| Fraud Account Claimed | $1.2 million investment account |
| Pre-Payment Story | "5% clearance fee = $60,175" |
| Stopped Paying | Prior to reaching $60,175 limit |
William Leavitt is a private individual who was targeted by an organized fraud syndicate using a multi-step confidence scheme. The victim was methodically manipulated over a period of months, with the fraudsters using documents, titles, and professional language to establish legitimacy before extracting payments.
Three distinct personas were used to operate this fraud. These names are almost certainly aliases — the investigation identifies these as operational roles within the criminal group, not verified real identities. However, establishing the names used in communications is forensically important for law enforcement records.
"Daniel" was the primary contact for the victim throughout the fraud. He presented himself as the official "account manager" responsible for the $1.2 million investment account. He was the one who sent the forged investment mandate and account statement documents, and who demanded the fee payments.
The surname "Schumer" may be a deliberate choice — it shares a name with a well-known US Senator — to create an air of American familiarity. This persona was the most communicative of the three and appears to have had full operational awareness of the scheme.
"Emily" was a secondary contact who communicated with the victim at points during the fraud, likely serving as a backup account manager or "escalation" persona to give the operation the appearance of a real company with multiple staff members.
Her communications are documented in the case file but the specifics are reserved for law enforcement submission. She may represent a different member of the criminal group, or may be the same operator using a different identity for different communication channels.
"Kristin" appears to have been introduced as a "compliance officer" or "legal department" persona — a common element in wire fraud operations where a fake regulatory compliance function is used to make the fee demands sound more official and harder to question.
The three-persona structure (account manager, support, compliance) is a known operational template used by organized pig-butchering and advance-fee fraud syndicates in Southeast Asia. This structural sophistication is consistent with an organized group, not a lone actor.
The criminals built a professional-looking corporate identity for "Nanotrading Investment." Every element has been investigated. None of it is real.
| Database | Name Searched | Result |
|---|---|---|
| SEC EDGAR | Nanotrading Investment | NO RECORD |
| FINRA BrokerCheck | Nanotrading Investment | NO RECORD |
| SEC Investment Adviser | Nanotrading / NanoTrade | NO RECORD |
| CFTC LabCFTC | Nanotrading Investment LLC | NO RECORD |
| UK FCA Register | Nanotrading* | NO RECORD |
| ASIC (Australia) | Nanotrading* | NO RECORD |
| MAS (Singapore) | Nanotrading* | NO RECORD |
| SFC (Hong Kong) | Nanotrading* | NO RECORD |
| UK Companies House | "Nanotrading" entity | NO MATCH |
| Domain | nanotrading.online |
| Registrar | HostGator (EIG/Newfold Digital) |
| Registered | 2024 (inferred from operation timeline) |
| Content | Fake investment platform UI |
| Critical Finding | SEED PHRASE HARVESTER |
The operation has been identified under these name variants in different victim communications and registration attempts. All share the same infrastructure and methodology.
The criminals provided "official" documents to support their story. Forensic metadata analysis exposes the true origin of these documents. You don't need a court-ordered subpoena to prove they're fake — the files themselves tell the story.
| Document Purports To Be | Official financial institution mandate letter |
| Creator (PDF Metadata) | PyFPDF 1.7.2 |
| What PyFPDF Is | Open-source Python PDF generation library |
| Common Legitimate Uses | Developer-generated receipts, reports, invoices |
| Real Bank/Firm Uses | Microsoft Word, Adobe Acrobat, Foxit, DocuSign |
| Forensic Conclusion | Document created by a Python programmer, not a financial institution |
| Document Purports To Be | Investment account statement — $1.2M balance |
| Creator (PDF Metadata) | PyFPDF 1.7.2 |
| Same Author Tool? | Yes — both documents same origin library |
| Balance Displayed | $1,200,000.00 |
| Basis for that Balance | None — it is a fabricated number in a Python script |
| Forensic Conclusion | No account exists; document is entirely fabricated |
PyFPDF library stamps every PDF it creates with its version string as the "Creator" field.
This is verifiable by any attorney, examiner, or court-appointed expert with free tools like pdfinfo
or Adobe Reader's Document Properties panel. This is court-admissible evidence of document forgery.
PyFPDF 1.7.2, FPDF, or any programming library instead of
a word processor or financial software, the document was created by a programmer, not a financial institution.
Blockchain analysis traced $7,080 in USDT through 14 wallets across three layers of the distribution network. The criminals used a "fan-out" pattern — collecting into one wallet, then dispersing to many — to complicate tracing. We traced all of it.
This is not a lone scammer. The operational sophistication, multi-wallet architecture, exchange integration, energy market access, and cross-campaign activity are all characteristic of an organized criminal group. Here is what we know about the group.
| Operation Type | Organized advance-fee / pig-butchering hybrid |
| Estimated Size | Small to mid-tier group (3–15 operators) |
| Operational Since | ~May 2024 (based on domain age + history) |
| Estimated Total Victims | 50–200+ across all campaigns |
| Geographic Origin | Southeast Asia (high confidence — operational pattern) |
| Cryptocurrency Skill | Intermediate (TRON TRC-20, DEX swaps, energy markets) |
| Document Forgery Skill | Intermediate (PyFPDF, custom letterheads) |
| OPSEC Level | LOW-MEDIUM (used regulated exchanges with KYC) |
Domain nanotrading.online registered. Fraud document templates (Investment Mandate and Account Statement) created using PyFPDF 1.7.2. TRON wallets prepared. Exchange accounts established at Bybit and Gate.io. Operation toolkit assembled.
"Daniel Joseph Schumer" contacts victim claiming he is the beneficiary of "Mark Johnson's" $1.2 million investment account. Investment Mandate and Account Statement PDFs are sent. Victim is told he must pay a "5% clearance fee" of $60,175 to release the funds.
First confirmed USDT transfer from victim to fraud collection wallet TGf5bSmBBUPAY7bhsGhmafeD8w19h6sLdb. Same day: operation gas wallet TJDENsfBJs4RFETt1X1W8wMDc8M5XnJhCe sends 54 TRX to fund collection wallet transactions. First sweep within 24-48 hours.
Five payments totaling $4,080 USDT collected: May 10 ($3,000), May 13 ($280), May 14 ($200), May 15 ($300), May 17 ($300). Each payment swept within 48 hours to Layer 2 sink wallets. Operator gas wallet funds each sweep cycle.
Victim continues paying (reaching $36,150 total) but payments during this period are not all captured in the traced TRON wallet. Fraudsters escalate demands with new excuse documents. "Emily" and "Kristin" personas engaged. Payments may have gone to different wallets or been made via other methods.
Three more payments: Aug 5 ($1,000), Aug 11 ($1,000), Aug 25 ($1,000). Bybit hot wallet TU4vEruvZwLLkSfV9bNw12EJTPvNr7Pvaa sends TRX gas to collection wallet in August (Aug 11, Aug 23, Aug 31). Gate.io provides energy through exit wallet.
Last payment September 1, 2025. Collection wallet fully swept September 10, 2025. TGf5bSmBBUPAY7bhsGhmafeD8w19h6sLdb abandoned with $0 balance. Victim stops payment. Fraud collection campaign ends — operators move to new victims.
Forensic monitoring identifies continued activity in sink wallet network. Funds cycling through Layer 2/3 wallets 7 months after this campaign ended — confirming the operators are still active and likely running new fraud campaigns.
FTH Digital Forensics Unit opens formal investigation. CSV transaction data analyzed. 14 wallets identified. Exchange connections confirmed. Group intelligence profile completed. This site published. All documents submitted for law enforcement distribution.