arbcore.app and arbcore.org market themselves as a “Hong Kong-regulated crypto arbitrage platform, 1.21–3.11% daily returns, smart-contract auto-payouts, simultaneous spreads across 450+ exchanges.” A live backend inspection of the platform's technical architecture, hosting infrastructure, API response shape and payout scheme confirms that the system is a single Node.js server running a scripted Ponzi/MLM economy — not an exchange aggregator, not a smart-contract product, and not a regulated financial service.
Infrastructure fingerprints, API endpoint topology, and role flags within the JWT session token confirm the existence of a two-tier economy: a passive deposit system for ordinary investors, and hidden rate agreements for top-level network promoters. No exchange integration, no deployed on-chain smart contract, and no independent audit exist.
arbcore.app presents itself as a crypto arbitrage platform with the claim that “every trade is verifiable on the blockchain and every payout is automated by a smart contract.” A live inspection of its backend reveals, in reality, a single api.arbcore.app service running on Express.js, hosted on a DigitalOcean droplet behind DDoS-Guard — a Russia-origin anonymous CDN routinely used by grey-market operations — and exposing only seven functional endpoints. The claimed “real-time arbitrage opportunities” endpoint, when polled repeatedly within seconds, returns bit-for-bit identical numbers: it is reading a static table from Postgres, not a live exchange feed. Several assets in the same response body are returned with a price of "0" yet still paired with a declared “~1.4% daily arbitrage profit” — arbitrage on an asset with an unknown price is mathematically impossible. The user balance model exposes upsell flags (isPro, isBoostPro, boostAmount, isSpeed, reinvest) that belong in a gamified deposit scheme, not in a high-frequency trading system. Payouts route through the TON network not via an on-chain contract but through a server-side manual dispatch; the phrase “auto-payout smart contract” is marketing veneer. The system operates a 21-level unilevel MLM structure on the surface, while a hidden role flag (isMaster) in the JWT reveals a second layer of operator-grade accounts reserved for top-tier promoters with private commission agreements. The domain was registered on 13 January 2026 — roughly 100 days before this report — under Namecheap privacy protection. The sum of these signals, combined with documented links to serial MLM launchers behind previous collapsed schemes, places ARBCORE firmly in the trading-bot-ruse Ponzi pattern.
The mismatch between ARBCORE's self-described identity as a “Hong Kong-regulated fintech” and its actual technical footprint is the starting point of this forensic analysis.
| Signal | Observation | Implication |
|---|---|---|
| Domain registration | arbcore.app · 13 Jan 2026 · Namecheap · privacy-protected | Domain age at time of publication: ~100 days. Inconsistent with the claim of a “seasoned fintech team founded in 2025” with employees from “leading asset-management firms.” |
| Name servers | ns1.ddos-guard.net · ns2.ddos-guard.net | DDoS-Guard is a Russia-origin anonymous CDN routinely used by gambling, darknet mirrors and investment fraud. Not subpoena-responsive. |
| Edge IP | 186.2.165.93 · AS62068 (DDoS-Guard Corp.) | No legitimate Tier-1 HK infrastructure in use (AWS HK, Alibaba HK, Azure HK are absent). Unusual for an SFC-compliant broker. |
| Load balancer cookie | DO-LB="ChxbZmQwMDoyOjplMTc3OmYwMDphNmM6MWRdOjgw" | Base64 decode: [fd00:2::e177:f00:a6c:1d]:80 — a DigitalOcean Load Balancer fronting plain-HTTP port 80 internally. TLS terminates only at the edge. |
| Telegram default language | t.me/ArbcoreSupport · default: Russian | Operator team is Russian-speaking. February 2026 SimilarWeb traffic: Ukraine 42%, Belgium 30%, Germany 19% — now expanding to Western Europe, Gulf and US markets. |
| Footer address | Shenzhen, Guangdong · Mainland China | Not Hong Kong. Different legal jurisdiction. Footer HK company number “99 Capital Co., Ltd 79035876” at best names a shell company with no regulatory standing. |
| HK regulatory claim | “Capital Co. Ltd., regulated under Hong Kong law, crypto exchange license” | Offering investment/securities to retail customers in Hong Kong requires SFC Type 1, 4 or 9 licences. None are on the public SFC register. A crypto exchange permit does not confer the right to offer securities. |
A regulated fintech operation requires auditable logs, KYC/AML trails, and onshore Tier-1 cloud providers in its licensing jurisdiction. ARBCORE's actual stack (DDoS-Guard + DigitalOcean droplet + plain-HTTP origin) satisfies none of these requirements. It is the canonical technical fingerprint of an operation designed to be hard to serve process on.
Live API response headers and the JWT token payload disclose both the backend's architectural profile and its role system.
The x-powered-by: Express
header confirms the backend is built on Node.js + Express.js. Institutional fintech platforms
hide this header as a matter of information-disclosure hygiene; its presence here is itself an opsec immaturity signal.
Access-Control-Allow-Origin: * on a Bearer-authenticated API is a permanent entry on the OWASP top-misconfiguration list.
content-security-policy: upgrade-insecure-requests; — a CSP consisting of a single directive is functionally equivalent to no CSP at all; there is no XSS protection at the policy layer.
Three fields in this payload each leave a distinct trace.
The tgUserId field carrying a generic email value
shows the backend was originally authored for a Telegram Mini-App, with web-signup later grafted onto the same schema. A genuine fintech would design its user-ID shape from scratch.
The platform's birthplace is not a professional brokerage — it is a Telegram bot economy.
The isMaster flag is the single most important finding in this report.
The role model reduces to a master / non-master binary. Real fintech platforms maintain ten-plus role tiers (trader, compliance, risk, ops, admin, auditor, etc.).
A one-bit role partition is the backend's own admission of a two-class user base: regular depositor and platform operator / top-tier promoter.
This field is the code-level fingerprint of the private commission agreements examined later in § 06.
is2FAEnabled: false being the default directly contradicts the site's claim of “multi-signature wallets, zkML decentralized verification, institutional-grade security.” 2FA is optional; the multi-factor security claim is marketing.
A single bundled script (index-*.js) and the session-storage key
tsr-scroll-restoration-v1_3 confirm the application is built on Vite + React + TanStack Router.
Previous independent review (BehindMLM, March 2026) identified the starting template as create-tsrouter-app — an open-source scaffolding project with brand assets layered on top.
The hashed CSS filenames in the bundle expose the full user-facing surface:
AllContractsTable · my-contracts · all-contracts — the word “contract” is UI branding for deposit records.ProScreen · ArbBoostScreen · boost · arb-speed — upsell screens pushing users toward Pro / Boost / Speed paid tiers.PartnersTable · network-program · partner-program — MLM downline visualizations.mok-*.css — “mok” is the Latin transliteration of Cyrillic мок, meaning “mock” (fake-demo) page. A developer left it shipped — a Russian-speaking developer fingerprint.ARBCORE's stated architecture (“monitoring across 24+ exchanges in real time,” “integrated with 450+ exchanges,” “public order-book visibility,” “on-chain TXID verification for every trade”) would mandate dozens of REST endpoints. The endpoint set actually exposed by the API is a short list.
| Endpoint (present) | Function |
|---|---|
| GET /health | Liveness check |
| GET /v1/balance/user | User's full asset balance map and upsell flags |
| GET /v1/balance/balance | Aggregate USDT total — returns plain string "0" |
| GET /v1/balance/profitability | Per-asset “daily arbitrage %” — static |
| GET /v1/pools/user/spreads/<TICKER> | Per-user fake arbitrage feed |
| GET /v1/pools/user/payouts/summary/<TICKER> | Cumulative payout total |
| GET /v1/contracts/active/<TICKER> | Active deposit “contract” |
| Endpoint MANDATORY for a real arbitrage platform | Arbcore |
|---|---|
| GET /exchanges — connected exchange registry | MISSING |
| GET /orderbook/:pair/:exchange — live order book | MISSING |
| GET /arbitrage/opportunities — live spread feed | MISSING |
| GET /trades/executed — executed orders | MISSING |
| GET /market/prices/live — price feed (WebSocket) | MISSING |
| GET /txid/verify/:hash — on-chain verification | MISSING |
| GET /wallets/hot — hot-wallet balances | MISSING |
| POST /api-keys — the advertised “public API key” | MISSING |
The frontend continuously polls the /balance/* and /pools/user/* endpoints over plain HTTP. A one-minute observation window showed each endpoint requested 7–9 times. A genuine arbitrage platform would stream exchange price feeds over WebSocket or Server-Sent Events at sub-second resolution; HTTP polling is the architectural signature of a fake feed generator — the server can manufacture new “spread records” on each GET.
/v1/balance/profitability was called three times, seconds apart, during the live inspection. The mathematical refutation of the “AI-powered screener monitoring 24+ exchanges in real time” claim follows directly.
Real cross-exchange arbitrage spreads change at millisecond resolution. Order-book depth, liquidity, fee tiers and maker/taker ratios all move continuously. Identical values on the same key across separate calls, with four-decimal precision, have a probability indistinguishable from zero. These numbers are being read out of a Postgres table populated by a periodic cron or an admin panel — they are not a live market feed.
Within the same response the backend reports the price of TRX, TON, ADA, DOGE and XLM as "0" — meaning it has no live price feed for them. Yet those same assets are each paired with a “daily 1.4% arbitrage profit” figure. Arbitrage between two exchanges requires at minimum a price at both endpoints; an arbitrage profit figure on an asset whose price is unknown is mathematically impossible. This single response line is definitive proof that the profitability field is fabricated.
Line by line, this is not a brokerage account model. It is a gamified deposit economy:
ARBCORE's headline promise: deposit 1,000 USDT → receive 2,500 USDT within 3–5 months. An average minimum of 1.2% daily spread. Industry benchmarks and the mathematical analysis follow.
Real cross-exchange arbitrage nets between 5% and 15% annually in stablecoin terms. The structural reasons for that ceiling:
A claimed daily return of 1.2% compounds to (1.012)^365 ≈ 7,850% annualized. No legitimate financial structure in history has sustained such returns — not a hedge fund, not an HFT firm, not a central-bank balance sheet.
The only structure that can advertise such returns is a Ponzi: incoming deposits from new investors become the “payouts” of earlier investors. The moment inflow slows, payouts freeze; the platform pauses under the label of “technical maintenance” or “product migration” and eventually shuts down.
What the ordinary investor sees is the published MLM plan: 5% direct referral, 21-level unilevel commissions, rank qualifications. This is only the public-facing commission structure. For top-tier promoters, platforms of this kind routinely operate a hidden side-agreement layer that the regular depositor never sees. The isMaster role flag observed in the backend JWT is the code-level fingerprint of that second tier.
| Mechanism | Rate / Requirement |
|---|---|
| Direct referral bonus | 5% of each personally recruited investor's initial deposit |
| ROI match (unilevel) | Up to 10% of downline daily ROI, across up to 21 levels |
| Rank system | Bronze → Elite · 7 tiers, each requiring investment + recruitment volume |
| Volume cashback | 10,000 USDT → 200 · 100,000 → 2,000 · 200,000 → 4,000 |
| Retailable product | None. The only “product” is the deposit into the platform itself. |
In platforms of this architecture, private side-agreements with large-downline ambassadors follow a recognizable worldwide template.
The existence of the isMaster flag, combined with the operational footprint of
serial MLM ambassadors documented by BehindMLM (Vladislav Stefanov, Aderly Dupont, Uwe Klemm, Steffen Wolter) and their relationship to the operator group, strongly indicates the presence of the following hidden-agreement components:
| Agreement Clause | What it means in practice |
|---|---|
| Founder / Master rate | In place of the public 5% referral, the master receives 20–40% commission on all volume brought in. Never disclosed to the ordinary investor. |
| Priority withdrawal | When the platform approaches its liquidity ceiling, “master” wallets are paid first from the outgoing queue. Ordinary users wait. |
| Capital guarantee | In the event of collapse, the master's principal is guaranteed by side-agreement. Ordinary users have no equivalent protection. |
| Seed equity / token allocation | At launch, masters receive free “founder pool” token allocations, cashed out at TGE. |
| KYC / AML whitelist | Master wallets bypass deposit/withdrawal thresholds that trigger identity checks for ordinary users. |
| Backend CRM access | Master has live visibility into downline identity, deposit timing and withdrawal behavior — fields never surfaced in the ordinary user UI. |
| Manufactured testimonials | Master's handle is featured on official “top earners” leaderboards regardless of actual net position. |
| Exit signalling | Before closure, masters receive a “stop pushing” signal. Final-tranche investors carry the loss. |
For every 10,000 USDT brought into the system by a promoter under such an agreement, the typical split runs approximately: ~3,000 USDT to the master's hidden commission, ~4,000 USDT to the operator's outflow pool (team included), ~2,000 USDT distributed down the 21-level unilevel bonus tree, and a remaining ~1,000 USDT nominally allocated to the new depositor's eventual “returns.” The new depositor was promised 250% = 25,000 USDT. With 9,000 USDT already distributed upstream on day one, that promise is mathematically unfundable except through a continuous stream of new depositors. That is the definition of a Ponzi scheme.
“A network promoter pitching ARBCORE to you with urgency is not doing so because they believe in the product — they are aware of the rate they themselves receive. You are not on the same agreement. In the backend, you are the side marked isMaster: false.” — ARBCORE backend JWT payload · April 2026
The BehindMLM report (March 2026) documents the ambassador network promoting ARBCORE and their track record across prior failed schemes:
This cluster is what the industry calls serial launchers: as soon as one scheme collapses, the same playbook is redeployed under a new brand. ARBCORE was not built from scratch — the signals point to it being the next iteration of a recurring template.
A prior scheme documented by independent researchers, Polar Tensor (polar-tensor.com), shares nearly every structural feature with ARBCORE. The side-by-side comparison below rules out coincidence.
Backend stack, payout model, claim framing, domain-aging window, and MLM structure are two versions of the same playbook. When one shuts down, the next launches under a new theme: “neural networks,” “arbitrage,” “AI trading,” “quantum hedging.” The target jurisdictions, brand names and top-level ambassador roster rotate. The underlying economic code does not.
All technical evidence in this report is derived from passive observation. No funds were deposited on the platform at any point. No real personal identification was submitted. No offensive-security techniques were used — no brute-force enumeration, no SQL injection, no session hijacking, no credential stuffing, no exploitation of server endpoints.
The research account was created with a disposable temporary email service. This is a standard practice for responsible security research:
As a result, all identifiers appearing in evidence blocks within this report — session UUIDs, balance-account UUIDs, and the email value within the JWT tgUserId field — have been redacted. The research session JWT has since expired and no longer grants access. No personal information belonging to any real person is reproduced in this report.
window scope; no mutation of DOM or storage.window.fetch and XMLHttpRequest interceptors capturing response bodies within the researcher's own session only.This report is published in the public interest. It contains no personal attacks on the operators, team or promoter network of ARBCORE; all named individuals are referenced as documented by BehindMLM's April 2026 investigation. The purpose is to provide prospective depositors with verifiable technical evidence so they can make informed decisions.
The authors have no commercial relationship with any competing platform, exchange or financial product. This report is free, ad-free, and carries no affiliate links. It may be freely republished or archived.
If you have already deposited funds, or have encountered ARBCORE in your own country's promoter networks, the following official channels accept complaints for unregistered investment schemes, securities fraud, and crypto-investment fraud. Reports filed across multiple jurisdictions materially increase the probability of action.
ARBCORE claims regulation under Hong Kong law via “Capital Co. Ltd.” This claim is directly testable against the SFC public register; filing complaints in HK is therefore particularly effective because the platform itself has invited that jurisdiction.
Regulator for any entity offering investment products in HK. Confirms/denies the “Capital Co. Ltd.” licence claim.
Cyber Security and Technology Crime Bureau. Accepts cross-border crypto-fraud reports.
HK Police 24/7 anti-scam helpline · Scameter search for reported wallets & domains.
adcc.gov.hk · 18222
Unregistered securities offerings, investment-scheme fraud, promoter misconduct.
Internet Crime Complaint Center. Crypto fraud, cross-border investment scams.
Crypto-asset fraud; whistleblower program with monetary awards.
Consumer fraud reporting, including MLM and crypto-investment scams.
Most states have their own securities division. NASAA directory locates the nearest.
Crypto fraud with a US-based victim nexus.
The EU currently operates under the MiCA regulation for crypto-asset service providers. ARBCORE does not appear on any national CASP register. Belgium (30% of traffic) and Germany (19%) are priority reporting jurisdictions; Ukraine (42% of traffic) sits outside the EU but has its own channels.
Cross-border investor warnings, coordinates between national regulators.
Federal financial supervisory authority. Issues warnings on unauthorized crypto operators.
Financial Services and Markets Authority. Maintains a public list of flagged fraudulent platforms.
Autorité des marchés financiers. Publishes a public blacklist of non-authorized crypto operators.
Comisión Nacional del Mercado de Valores. Publishes warnings on unauthorized entities.
Financial Conduct Authority. Publishes unauthorised-firm warnings on ScamSmart.
European Cybercrime Centre. Routes cybercrime reports to the appropriate national authority.
National cyber-police unit. 42% of Arbcore's traffic originates from Ukraine.
Federal securities regulator of the UAE.
Dubai's dedicated crypto-asset regulator. Any platform marketing to Dubai residents falls under its oversight.
Regulator of the Dubai International Financial Centre free zone.
Abu Dhabi Global Market regulator. Includes a crypto framework.
Issues warnings on unlicensed financial products.
Regulator of the Bahraini financial sector, including crypto-asset service providers.
Qatar's financial-services regulator.
Cross-border coordination between national police agencies. Submit via your national bureau.
International Organization of Securities Commissions. Publishes investor alerts from 100+ jurisdictions.
NGO focused on crypto and romance-investment scams.
Open reporting database for malicious crypto wallets and fraud operations — used by law-enforcement and exchanges.