LIVE · ON-CHAIN · Generated Thursday · May 7, 2026 · 18:47 UTC Issue №2026127 · bluewingintel.com
BlueWing Intel
Fraud Watch · Daily · BTC · ETH · SOL · TRX · BNB · Free
Issue №2026127
Thursday · May 7, 2026 · 18:47 UTC
Ed. #1 · First Edition

$2.88M flowed into Tornado Cash in the last 24 hours.

178 discrete deposits across four pool denominations, computed live from on-chain logs. Tornado's smart contracts were sanctioned in August 2022 — the contracts themselves are immutable and keep accepting ETH. This is what the chain actually shows, not an API estimate.

Editor's note — what this edition actually is
This is Fraud Watch №1. Every figure below is pulled live from public sources at generation time. No sample data, no padding. Sections without live signal are hidden, not filled. We lead with Tornado Cash deposit counts because the signal is timely, computable on free public RPC, and missing from every free competitor. Our proprietary labeled-wallet database seeds with every run.
Lead · Mixer Inflows · Tornado Cash · Last 24h

$2.88M in · 178 deposits · 1252.60 ETH

PoolDepositsETH inContract
0.1 ETH767.60 ETH0x12D66f87…
1 ETH6565.00 ETH0x47CE0C6e…
10 ETH28280.00 ETH0x910Cbd52…
100 ETH9900.00 ETH0xA160cdAB…
Computed via eth_getLogs against the four canonical Tornado Cash ETH pools. Contracts were designated by OFAC on 2022-08-08; they remain immutable and continue accepting deposits. Anyone who deposited in the last 24 hours has, by Treasury position, touched sanctioned infrastructure.
Our Focus · USDT-TRC20 on TRON · The Rail Nobody Covers
$275.5K
across 5 notable transfers in the latest Tronscan window — live from the chain, not an aggregator.

TRON USDT moved ~$62B at last issuance count and is the dominant stablecoin venue for pig-butchering, ransomware off-ramps, and sanctions evasion. Sell-side doesn't cover it. Chainalysis dashboards it but won't publish it. This is BlueWing's lane.

AmountTime (UTC)From → To
$17.0K2026-05-07 18:47TWMgoy1q…eR7ta8 THbXb4fx…swneJPtrace →
$73.5K2026-05-07 18:47TS5KqemE…3z1aKP TENWBz9z…mW8pNCtrace →
$10.0K2026-05-07 18:47TB7kbwF4…oiGTTe TVmHMp77…YMVDkytrace →
$165.0K2026-05-07 18:47TAMpC4B9…ikRsvD TAMbC2kC…jbXZCatrace →
$10.0K2026-05-07 18:47TP3r8rkA…eRnoY8 TS76o4YX…uxQQT3trace →

BTC Whale Moves · Last 24h

Transactions ≥5.0 BTC from mempool (unconfirmed) and the latest block (confirmed). Live from blockchain.info and mempool.space.

SizeTransactionState
97.16 BTC $7.79M184a451b…027aa1confirmed
21.29 BTC $1.71Mdc260b4a…3dd56dmempool
14.78 BTC $1.18M51b09654…82b476mempool
5.93 BTC $474.9Ka356bbfc…218765mempool

Protocol Exploits · Rekt Ledger · Last 30 Days

$290.0M
KelpDao
4/18/2026 A2 · Rekt

DPRK breached LayerZero's infrastructure, forged a bridge message, and walked $290 million out of KelpDAO in one transaction. Aave is holding hundreds of millions in bad debt. The dominoes are still falling. DeFi United is scrambling to catch them.

KelpDAOLayerZeroAave
post-mortem →

Live X Alerts · PeckShield / SlowMist / ZachXBT · Last 72h

  • @zachxbt 2026-05-07 10:29
    Price manipulation now happens almost every week, with $LAB by @LABtrade_ becoming the latest pump-and-dump token while Bitget continues playing the usual CEX role. The LAB team, @vsadkovv, appears to control a significant portion of the supply. Wallets linked to the team still hold large allocations: 0x7Cfd8d2d8626B
    view post →
  • @SlowMist_Team 2026-05-07 07:02 BASE
    🚨 A typical AI Agent security incident recently occurred on the Base chain. An attacker sent a carefully crafted Morse code message to @grok, inducing it to output transfer instructions. @bankrbot then directly parsed and executed those instructions, ultimately leading to the transfer of real on-chain assets. Our ana
    view post →
  • @SlowMist_Team 2026-05-07 03:20 ETH
    🚨SlowMist TI Alert🚨 💸 Loss: ~1,291.16 ETH + ~1,268,771 USDC + ~206,282 USDT + ~16.94 WBTC @trustedvolumes 🔍 Root Cause: In fillOrder function (selector 0x4112e1c2) of RFQ Implementation, signature validation checks _allowedSigners[msg.sender][signer] using caller (taker) instead of order's maker as key, allowing re
    view post →
  • @PeckShieldAlert 2026-05-07 02:17
    #PeckShieldAlert @trustedvolumes has been exploited for ~$5.9M, including $3.02M $ETH,$1.37M $WBTC & 1.47M stablecoins, the exploiter has swapped the stolen funds for 2.513K $ETH
    view post →
  • @CertiKAlert 2026-05-07 01:25
    #CertiKInsight 🚨 We have seen ~$5.87M pre-approved fund stolen through 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756. The attacker registers as an AllowedOrderSigner through a public function, then executes the order to transfer from the victim. Please revoke any approval to the vulnerable contract. Stay vigilant!
    view post →
  • @PeckShieldAlert 2026-05-06 19:08 ARB
    It seems the 0x1f4c_Kelp DAO Exploiter on ethereum is being liquidated (w/ ~$123m debt) in @aave Here is the related tx: etherscan.io/tx/0xe2391ea418… The arbitrum position is also liquidated: arbiscan.io/tx/0x78b41623cd2…
    view post →
  • @zachxbt 2026-05-05 12:51
    8/ While these Chinese investment frauds are obvious to most, they purposely target unsophisticated retail investors via social media. Reading through victim posts, many still seem to be in denial that they were scammed. If you are a victim of BG / DSJ I suggest filing a police report in your jurisdiction (US victims
    view post →
  • @zachxbt 2026-05-05 12:51 TRX
    7/ I performed a timing analysis to find withdrawals and located Solana/Tron deposits to Binance and found matching Tron withdrawals and provided details to relevant parties. It resulted in $38.4M frozen by Tether on May 4 (yesterday) with another $3.1M+ frozen at various services/exchanges.
    view post →
  • @zachxbt 2026-05-05 12:51
    6/ I traced $93M+ in outflows from consolidations to multiple deposit addresses from April 27 to May 3, 2026. Cobo ($63M total received) TFjQWjNkyTJ5xmqy87WBTYaUS7gWzLuWzu TD1yXHq8NAPFZN5tCAAsd2HsrYfMuuqGCq TMsA7dJpEYJ8r8HCGK7tyAg5NGtJzFWMom TN5YhGsCBPZSi3ATUp2G5wht5Wmbumy23o OKX ($30M total received) TTV5Dn2tfU16Nzr
    view post →
Forensic reports · when a daily scan is not enough

Stop guessing. Start citing.

A risk verdict in thirty seconds, a filable report in three days, or the full intelligence package in ten. Same evidence discipline every BlueWing PDF has shipped since day one: SHA-256 manifests, confidence-graded findings, and a transaction hash behind every claim.

Free · Risk Check
Thirty seconds · Public
$0
Paste the address. Green, yellow, or red in under thirty seconds. OFAC and sanctions, drainer and scam-registry hits, exposure tags, one-line plain-English summary. Enough to know whether to walk away or pick up the phone. No credit card.
First 3 lookups · no email needed
Then 2 / day · 10 / week · email-verified
Cloudflare Turnstile bot protection
Check a wallet now →
Pro · On-Chain Report
On-chain analysis - 24 hr delivery
$2,500
For the deal that needs a paper trail. Full transaction history, a three-hop connected-wallet graph, mixer entry flags, supply-concentration analysis, drainer-ring identification, multi-chain on the single entity. Watermarked PDF with SHA-256 evidence manifest, independently verifiable by your counterparty. Priced to close on a corporate card. No RFP. No committee.
Request a Pro report →
Founding price
Elite · Full Intelligence
On-chain + OSINT - 48 hrs delivery
$7,500
$12,500 at list after founding window
For serious matters where counsel is already involved. Everything in Pro, plus the OSINT layer that holds up under scrutiny: GitHub scam-site enumeration, IPFS metadata, WHOIS pivots, social and homoglyph cross-reference, up to three chains with a five-hop network graph. Structured JSON export for the data room. Optional on-chain anchoring for chain-of-custody. Used by attorneys in live crypto-fraud matters.
Request an Elite report →
Source status this run: mixer flowsofacofac delta weekrektscamsniffercoingeckosecx alertsbtc whalestrx usdt flowstether frozenphishing domainschainabusedefillama hacks