Inside the $480M LAB Token Side Door at Bitget

There are three load-bearing pieces in the alleged playbook.

**OTC loans at 7.5 percent per month for six months.** That is an annualised rate of about ninety percent. Market makers do not loan tokens to projects at ninety percent unless the loan is collateralised by something more valuable than the principal — usually the right to flip supply on a venue with controlled liquidity. The economics only work if the lender expects to sell into the market that the loan exists to create.

**A vesting cliff unilaterally extended from three months to nine.** Public token unlock schedules exist so retail can model future supply. Moving the cliff later — without a token-holder vote — means insiders trade against a public that thinks supply is locked when it is not.

**OTC deals at sixty to eighty percent discount to spot.** Tokens bought at a steep discount from the project, while spot price is held up by a thin order book, return to the seller as profit the moment the seller dumps into spot. The discount itself is the manipulation premium.

Stack the three and you get a wallet map that looks normal in any single transaction and obvious in aggregate. The aggregate is what Sanctuary's entity graph is built for.

Of the ten fresh wallets that received the 100 million LAB on May 11–12, none had on-chain history before March 2026. Each was funded directly from Bitget hot wallets. Each then moved a portion of its allocation through Binance and Gate as secondary distribution.

By itself, that pattern does not prove coordination. New wallets get funded from exchanges every day; that is not contraband. What makes the cluster a cluster is its parents.

ZachXBT noted the same market-maker fingerprint that appeared in RIVER, RAVE, SIREN, MYX, and SKYAI — five tokens that produced violent multi-thousand-percent pumps followed by 60–95 percent drawdowns in the preceding two months. RAVE rallied from a $60 million market cap to roughly $6 billion in nine days, then lost $5.7 billion in forty-eight hours. SIREN dropped 70 percent in a single day on April 18; Bubblemaps tagged forty-seven wallets controlling about half of supply, all sourced from related funders. Memecore showed 90 percent insider concentration against a claimed $6 billion FDV.

Sanctuary's job is not to label each of those five tokens a scam. Our job is to label the entity behind them. When five token clusters share a market-maker entity, the entity is the unit of risk — not the token. A retail buyer who sells out of LAB before the dump might still hold one of the five next.

This is exactly what cross-chain entity attribution does. We do not score a single address against a single token's chart. We score an operator graph across chains, projects, and time. When the same parent wallet funds a launch on BNB Chain in March, a launch on Solana in April, and a launch on Ethereum in May, the score follows the operator, not the venue.

The defense from an exchange's compliance team will sound like this: "These were customer accounts. We applied our normal AML screening to deposits. We have no insight into the project's internal allocation."

Both halves of that sentence may be technically true. Neither addresses the issue.

An exchange has surveillance obligations on listed assets. These obligations vary by jurisdiction, but in 2026 the floor is no longer "we run a sanctions list against the deposit address." The floor includes monitoring for layering, structuring, wash trading, and insider concentration on tokens the exchange itself lists. When 226 million units of a listed asset accumulate quietly in a small set of accounts over six weeks, then exit in twelve hours, that is a surveillance flag inside the exchange — not an external auditor's problem.

The 2026 regulatory environment has tightened around this point in three places at once.

MiCA's market integrity provisions apply to MiCA-authorized CASPs from December 30, 2024, and Italy's CONSOB began publishing concrete fee schedules for breaches in December 2025. The EU's 20th sanctions package, effective May 24, 2026, adds blanket transaction bans against Russia- and Belarus-established CASPs — Bitget, in particular, has been named in public discussion of those provisions. And on the US side, the GENIUS Act, signed July 18, 2025, treats permitted payment stablecoin issuers as Bank Secrecy Act financial institutions with sanctions-program obligations from day one of the implementation window.

None of that requires Bitget to do anything specific about LAB. All of it raises the bar on what counts as "we applied our normal screening." Normal in 2024 is below the floor in 2026.

If you screen the ten fresh recipient wallets in Sanctuary today, you get a Critical score, typically 88 to 96 out of 100, with two source markers: `bitget_hot_wallet_post_launch_exfiltration` and `operator_cluster_repeat_offender`. The score does not depend on ZachXBT's allegations — it depends on the on-chain pattern.

The funder-of-funders gets the higher score. That address has now funded five separate operator clusters in three months. None of the five projects share a name. All of them share a parent. The pattern is what scores.

This is also where Sanctuary's category decay matters. The mixer category never decays — a sanctioned address from 2018 is still sanctioned in 2026. But behavioural categories like `pump_dump_operator_cluster` decay more slowly than they used to. The reason is that the operators we have tracked through 2024 and 2025 are still active in 2026. The same fingerprint reappearing across RIVER → RAVE → SIREN → MYX → SKYAI → LAB is a refusal to decay.

If you operate an OTC desk, an exchange listings desk, or a token-listing review board, the practical implication is this. When a project pitches you for liquidity provisioning, run the project's market-maker counterparty addresses against the cluster history, not the project's own treasury wallets. The treasury is clean by design. The market-maker is where the pattern lives.

A retail trader of LAB sees a chart that pumped, a chart that crashed, and a Twitter thread. They do not see twelve hours of withdrawal activity from the listing exchange, or six weeks of accumulation across coordinated subaccounts, or two months of related launches from related funders. By the time the chart looks volatile, the operator has already realized profit.

This is the asymmetry that the cartel framing names. It is not that exchanges are operationally complicit in every listed token. It is that an exchange that lists, market-makes, and provides venue while its operator partners run the supply concentration controls all three sides of a market the retail trader thought was a market.

In compliance jargon, this is a conflict-of-interest disclosure issue. In on-chain reality, it is a forensic problem. We can show you the wallets. We can show you the funder-of-funders. We can show you the same fingerprint across five tokens in three months. We cannot get inside Bitget's compliance pipeline; we can only show what would have been visible from the outside if anyone with access had looked.

ZachXBT's allegations against Sadkov, Liu, and the cluster operators are not court findings. As of May 15, 2026, no US, EU, or Asian regulator has filed against any of the individuals named. Bitget has not commented publicly on the specific LAB allegations beyond confirming an investigation into the related RAVE token. SDNY has open dockets on adjacent crypto cases — Roman Storm convicted on one count with the Rule 29 motion pending and a DOJ-requested retrial on hung counts targeted for October 2026; Trenton Johnson charged in the Kapllani matter — but nothing yet on operator-cluster pump-and-dumps on Asian exchanges.

That gap may close. The CFTC's market-manipulation tooling has been used against on-chain wash traders before. The SEC under the current administration is less likely to act, but state attorneys general — New York and California in particular — have pursued similar cases. And Argentinian prosecutors moved against Hayden Davis in the LIBRA case in less than a year. Civil class-action exposure for projects with US holders is also live; Meteora was sued in April 2026 for the M3M3 launch over precisely the same kind of allegation.

For Sanctuary's part, the question is not whether the courts catch up. The question is whether the screening catches up first.

If five token clusters share a market-maker entity, the entity is the unit of risk — not the token. Screen the funder-of-funders, not the chart. The cluster is older than the latest pump and will outlive it.

When the next token from this operator launches — and there will be a next token — the wallet that funds the launch will already have been on Sanctuary's Critical list for three months. The question for any exchange, OTC desk, or payment team that sees the deposit is whether they choose to look.