Stellarfund.io Scam

TRM InsightsTRM Investigations

November 18, 2021

TRM's investigation of Stellarfund, spurred by an inquiry from English law firm Rosenblatt, offered a view into the bizarre underworld of crypto investment scams, which have recently proliferated, exploiting countless victims and siphoning off billions of dollars in ill-gotten gains.

TRM's assessment

Stellarfund.io was a Ponzi scheme following a well-worn pattern. Victims purchased investment shares with 'guaranteed' rates of return purportedly earned from a proprietary crypto trading algorithm. The rate increased with the amount of money contributed and the length of time investors agreed to lock their funds in. Victims were ultimately unable to withdraw their profits, let alone their initial investments.

Interestingly, the scam integrated traditional Ponzi elements with a pump-and-dump scheme for an alt-coin known as Bitcoin POS (Proof of Stake). TRM's analysis suggests the scheme likely collected a staggering sum — $70 million — from its victims. Off-chain analysis of corporate records and web posts have identified links between the scam and real-world personalities, including the notorious Ponzi organizer Josip Heit. The promotion of BitcoinPOS was reminiscent of Heit's earlier alt-coin scam G999.

Details of the scam

A review of available open-source information suggests stellarfund.io and its associated scams are almost certainly Ponzi schemes, for which the target audience appears to have been English and German-speaking investors.

German-language ads targeted users with a traditional Ponzi-scheme/MLM arrangement. New users were encouraged to recruit additional investors with promises of reward payments. These rewards were likely paid with subsequent investments by new victims, and/or market appreciation of the value of the underlying invested cryptocurrencies.

The use of investors' funds to pump a fraudulent cryptocurrency, BitcoinPoS, is reminiscent of the recently disrupted Finiko scam as well as Josip Heit's early-2021 scheme surrounding the G999 token.

Demo video showing MLM incentive structure behind stellarfund.io; https://www.youtube.com/watch?v=2_zyXupCkyA
Demo video showing MLM incentive structure behind stellarfund.io; https://www.youtube.com/watch?v=2_zyXupCkyA

The English-language website functioned along slightly different lines. It locked investors into terms of six months or one year, with higher returns promised for the longer-term investment.

Two-tier investment scheme, as of May 2020

On-chain analysis

Using deposit information from known victims of the scam, TRM identified two key clusters of addresses used by the Stellarfund. Cumulatively, these clusters received over $70 million USD in deposits, though some of these funds may be double counted given on-chain connections between the clusters. While composed of over 2,500 and 900 Bitcoin addresses, respectively, single addresses in each cluster sent and received the majority of funds in each. Both clusters continue to send and receive funds as of September 2021, though volumes on each declined precipitously circa January 2021.

The volume of Bitcoin collected by Stellarfund closely mirrors the market price of BitcoinPOS. This correlation suggests the funds raised by Stellarfund may have been used to artificially pump the price and volume of BitcoinPOS itself. If this scenario is correct, the Ponzi scheme may have been primarily used as a fundraising mechanism for the altcoin.

Transaction volume of large cluster controlled by Stellarfund

Price of BitcoinPOS as reported by CoinMarketCap

In practice, all Bitcoin received by Stellarfund were laundered almost immediately upon receipt. While these patterns varied from transaction to transaction, the scammers appear to have pooled deposits in increments of $2-300k. Once this threshold amount was reached, the funds were dispersed to new, unhosted addresses. From these new addresses, funds were peeled off in small amounts, usually less than $1,000, then deposited at a range of crypto exchanges and payment services. Stellarfund appears to have occasionally moved larger increments of funds to exchanges. It is unclear at this time what motivated these larger transactions.

Corporate Records Analysis

StellarCaptial s.r.o

Screenshots of archived versions of the stellarfund.io website revealed a changing ownership scheme over time. While currently claiming to be owned by a UK firm, GS&MA Stellar, in early-2020, the site listed a Slovakian company, StellarCapital s.r.o., as its owner:

stellarfund.io as of March 2020
stellarfund.io as of 15SEP21

Slovakian records for StellarCapital s.r.o. are extensive and provide potentially valuable leads on individuals and additional companies possibly related to the Stellarfund scam. Details of these findings can be made available to law enforcement or legal partners; please contact investigations@trmlabs.com.

GSandMAStellar and DeFi Pro Finance LTD

The UK registration for GSandMAStellar, Stellarfund's new, UK-based 'owner' (variously spelled as GS&MAStellar), indicates it was registered by a purported Polish national living in Slovakia. The linked firm, DeFi Pro Finance LTD, also registered in the UK, is associated with a similarly named individual. In this instance, the individual is now listed as a Slovenian national living in England and shares the same month and year of birth as the Polish national. Both companies list an address in London which appears to be a retail shop; this address is associated with approximately 80 additional companies and may be used by a corporate services firm.

The use of the "GS" naming convention may suggest a connection to the GSTrade, GSPartners, and GSB Gold Standard scams. The operator of these scams, Josip Heit, also appears to be the creator of BitcoinPOS, the scam currency in which Stellarfund withdrawals are denominated. This link as well as the logo and branding similarities suggest an authentic connection between these scams and Stellarfund.io.

Paid Promotion, July 2021

The Scam, Reborn

As of mid-summer, former victims of the Stellarfund were pushed to recover their lost funds by re-investing in a new iteration of the scam, now rebranded 'The DeFi Pro'. While playing on public interest in the ill-defined and hard to understand concept of DeFi, the scam is essentially unchanged from its prior incarnation. Investors are lured with outrageously high rates of return but must lock their funds in for defined periods of time (after which withdrawal will become impossible).

There are several clear links between The DeFi Pro and Stellarfund. The site's UK-based corporate parent, DeFi Pro Finance Ltd, is registered to the very same individual behind GSandMA Stellar. Its address is the same retail shop in London. The only obvious difference in this corporate iteration is the individual's new purported nationality: Slovenian.

This is some text inside of a div block.

Need support on an investigation?

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to our latest insights
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
You can unsuscribe at any time. Read our Privacy Policy.