In November 2025, Thailand’s Cyber Crime Investigation Bureau (CCIB) announced a landmark case in collaboration with Binance, Bitkub, and Tether, resulting in the recovery of approximately 432,000 USDT (over 14 million THB) stolen from multiple Thai victims. The operation represents one of the most successful examples to date of real-time coordination between global exchanges, stablecoin issuers, blockchain analytics, and law enforcement.
TRM Labs is proud to support CCIB, Tether and Binance in this and other investigations. Using TRM’s blockchain intelligence platform, CCIB was able to trace cross-chain flows, map the laundering process, and identify key wallets tied to the perpetrator, ultimately helping authorities secure and return stolen funds.
This case highlights the growing maturity of public-private collaboration — such as the T3 Financial Crime Unit (TRON, Tether and TRM + Binance) — in the fight against crypto-enabled financial crime. The coordinated effort is a blueprint for how blockchain transparency, when paired with advanced analytics and fast action, can protect consumers and safeguard digital finance.
The Attack
The case began when a victim unknowingly installed malware — believed to have originated from clicking a link on an investment-related website — that searched for sensitive data including Google Authenticator key backups, seed phrases, and wallet recovery words. Armed with these credentials, the perpetrator gained full control of the victim’s cryptocurrency trading accounts, converting all assets into USDT (except for Bitcoin) and transferring them into prepared digital wallets.
Initial losses totaled roughly 93,000 USDT and 2.5 BTC, but further investigation revealed six additional victims who had fallen prey to the same scheme. In each case, the attacker gained access to trading accounts, changed withdrawal destinations, and used peer-to-peer transactions to move funds. Combined, total losses exceeded 432,000 USDT (over 14 million THB).
Investigators determined that the hacker was a foreign national from an Eastern European country bordering Asia, and that the malware campaign likely originated from phishing pages impersonating legitimate investment platforms.
Following the Money
Using TRM’s blockchain tracing tools, CCIB analysts reconstructed the attacker’s movements across multiple wallets and exchanges. The stolen crypto was sold through peer-to-peer (P2P) markets and transferred into a Perfect Money account, a payment service now discontinued but historically used for high-risk transfers.
Despite the attacker’s attempts to fragment funds and conceal the trail, CCIB, Binance, and Bitkub investigators were able to trace the flow of assets on-chain in real time, identifying a clear cluster of wallets linked to the perpetrator.
Once sufficient evidence was established, CCIB coordinated with Tether to freeze the suspect’s digital wallet transactions, stopping any additional movement of funds and preventing cashouts. This swift freeze was instrumental — it locked the funds in place while technical teams prepared a recovery plan.
Recovery and Technical Coordination
After the freeze, CCIB secured control over the perpetrator’s wallet but faced a complex challenge: how to safely move the funds to government custody without triggering automated “auto-sweep” functions — code designed to instantly drain funds when interference is detected.
Working closely with Bitkub’s technical team, CCIB reviewed the relevant smart contracts, identified potential withdrawal triggers, and implemented protective measures to neutralize them. This collaboration ensured the integrity of the assets while enabling safe transfer.
With these safeguards in place, 432,000 USDT was successfully moved from the attacker’s wallets to a secure, government-controlled wallet under CCIB management. This marked one of Thailand’s largest on-chain recoveries to date — an extraordinary example of the speed and precision achievable when technology and teamwork converge.
Global and Private-Sector Collaboration
This case stands as a model for cross-border collaboration between the private sector and law enforcement. Binance provided investigative support, assisting with wallet intelligence, compliance coordination, and exchange-level tracing. Bitkub contributed on-the-ground technical expertise to safeguard assets and facilitate secure transfer operations. Tether’s rapid response froze suspect wallets in near real time.
Throughout the investigation, CCIB used TRM Labs’ blockchain analytics to visualize the laundering network, analyze fund flows, and support evidentiary documentation for seizure orders. This layered approach — data, analysis, coordination, and action — underscores how blockchain intelligence enables meaningful, real-world enforcement outcomes.
Restitution to Victims
Following the recovery, CCIB initiated Thailand’s official restitution process. The recovered 432,000 USDT will be returned to victims in the form of stablecoins, preserving the value of their holdings and ensuring a transparent, on-chain return process.
All funds are currently secured in a government-controlled, multi-signature cold wallet, pending final verification and court approval. The restitution process — returning stolen crypto in kind — represents an important milestone in the modernization of asset recovery frameworks worldwide.
Lessons for Global Enforcement
This case demonstrates key lessons for combating crypto-enabled financial crime:
- Speed and partnership save assets. The swift response between CCIB, Binance, Bitkub, Tether, and TRM was the decisive factor that made full recovery possible.
- Blockchain transparency is a strength. Even as attackers use P2P channels or discontinued payment systems, the immutable record of the blockchain allows investigators to rebuild the entire financial trail.
- Private-sector engagement multiplies impact. Coordinated action by exchanges, analytics firms, and stablecoin issuers represents the future of global financial enforcement.
- Education and hygiene remain essential. The incident began with a single malicious link — a reminder that basic cybersecurity practices remain the first line of defense against sophisticated actors.
Conclusion
The November 2025 CCIB–Binance–Bitkub–Tether investigation represents a milestone in global crypto enforcement. It proves that the same technology used by criminals to move value across borders can be used by defenders to track, trace, and recover it — with speed and precision.
TRM Labs is proud to support CCIB and Binance in this case and in broader efforts to combat crypto-enabled financial crime. Together with global law enforcement and exchange partners, TRM continues to deliver advanced blockchain intelligence tools that enable investigators to trace illicit flows, recover stolen assets, and protect users worldwide.
This case demonstrates what’s possible when technology, transparency, and teamwork intersect — a vision at the core of TRM’s mission to build a safer financial system through blockchain intelligence.
Related posts
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.
