Global Cybersecurity Alliance Insights: 344 million USDT on the TRON chain frozen by OFAC, regulatory risks of stablecoins receive renewed attention

1. Event Background

On April 23, 2026, Tether announced the freezing of two USDT addresses on the TRON network in coordination with the U.S. Department of the Treasury and law enforcement, with a total frozen amount of approximately 344 million USDT. The next day, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) added these two addresses to the SDN sanctions list related to the Central Bank of Iran, Bank Markazi, marking them as associated with sanctioned entities such as the IRGC-Qods Force and Hizballah. The two frozen addresses are:

• Address: TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81; Assets: TRON/TRC20-USDT; Frozen Amount: approximately 212,922,653 USDT; Current Public Qualification: OFAC marked as related to the Central Bank of Iran;

• Address: TTIDLWE6fZK8okMJv6ijg42yrH6W2pjSr9; Assets: TRON/TRC20-USDT; Frozen Amount: approximately 131,288,800 USDT; Current Public Qualification: OFAC marked as related to the Central Bank of Iran;

The reason this incident was classified by OFAC as "Iran government-related addresses" is based not on a single on-chain transaction, but on multiple judgments:

• First, OFAC directly included the two addresses in the sanctions entries related to the Central Bank of Iran;

• Second, the U.S. Department of the Treasury's OFAC and on-chain analysis firms believe that these addresses have transaction paths associated with Iranian exchanges, wallets related to the Central Bank of Iran, and intermediary addresses;

• Third, both addresses have long-term large inflows of USDT, low-frequency outflows, and long periods of inactivity, with behavioral characteristics more akin to institutional reserves or funds pools rather than ordinary user wallets.

However, it is important to clarify that OFAC's sanction classification is an official legal and intelligence judgment, and public on-chain data alone cannot directly prove that the private keys are directly controlled by the Iranian government or the Central Bank of Iran. In other words, what can currently be confirmed is that "the U.S. Department of the Treasury's OFAC considers them related to the Central Bank of Iran," but it cannot be concluded solely based on public on-chain data that "these two addresses are definitely wallets directly controlled by the Iranian government."

2. Detailed Analysis

2.1. On-Chain Characteristics of the Two Frozen Addresses

From the on-chain data, both addresses exhibit clear characteristics of "large inflows, low outflows, long-term accumulation." Among them, TNiq9...ZH81 is the address with a larger balance, with a historical total income of approximately 228.6 million USDT and total outflows of about 15.73 million USDT, resulting in an outflow ratio of about 6.9%; TTIDL...Sr9 has a frozen balance of approximately 131.3 million USDT and was added to the USDT blacklist on April 23, 2026, at 12:02 UTC.

Such behavior does not resemble typical high-frequency money laundering intermediary addresses, nor does it resemble exchange hot wallets. A more reasonable understanding is that both may be in a "reserve layer" or "aggregation layer" within a certain funding network. TRM Labs' merged analysis of the two addresses also indicates that they have cumulatively received about 370 million USD through approximately 1,000 transactions, with most funds accumulated before the end of 2023, and then remained dormant for a long time, resembling "reserve wallets" rather than operational wallets.

2.2. Relationship Between the Two Frozen Addresses

The two addresses do not exist in isolation. Public analysis mentions that TTIDL...Sr9 transferred approximately 8.6 million USDT to TNiq9...ZH81. This transaction indicates a direct financial connection between the two addresses, supporting the judgment that they belong to the same funding structure or operational network.

However, this does not equate to "both are definitely directly controlled by the Central Bank of Iran." A more accurate statement is: this 8.6 million USDT transfer proves that there is a financial coordination relationship between the two, but it cannot prove the real-world private key controllers, nor can it rule out the possibility of third-party brokers, OTC, custodians, or clearing agents holding or operating on their behalf.

2.3. Analysis of Upstream Corresponding Addresses

Based on public graphs and prior analysis, several important upstream addresses include:

• Address: TD2BiYkihphjrK35YQy1QGxGotSo86vVnk; Role Judgment: primary upstream funder; Relationship with Frozen Addresses: approximately 29M/30M level funding source; Conclusion: may be an upstream funding pool, broker, or custodian address;

• Address: TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t; Role Judgment: primary upstream funder; Relationship with Frozen Addresses: approximately 16.5M level funding source; Conclusion: forms the same batch funding path with Funder-001;

• Address: TYkdG6k1987mkfU5ZzYf9ZK3xi989jNMPJ; Role Judgment: secondary funder; Relationship with Frozen Addresses: smaller amount; Conclusion: has auxiliary significance in proving a common funding structure;

• Address: TGzGetNjyDNv4ByMaLwPqG3U8tskNwQsbL; Role Judgment: secondary funder; Relationship with Frozen Addresses: smaller amount; Conclusion: more like a marginal or test upstream address;

• Address: TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh; Role Judgment: key intermediary hub; Relationship with Frozen Addresses: approximately 274.6 million USDT comprehensive flow; Conclusion: more like a clearing/intermediary node;

Among these, Funder-001 and Funder-002 are the most significant. They are not fragmented entries from retail investors but rather larger amounts concentrated into the same funding structure, indicating that the frozen addresses may connect to institutional-level funding sources, OTC brokers, multi-address custodians, or clearing networks. Funder-001 and Funder-002 cannot simply be labeled as "Iran government addresses"; a more rigorous statement would be "suspected upstream large funding source addresses, possibly representing the supply side or broker side of Iranian-related funding networks."

Additionally, the key hub TCXfh...AEWh deserves more attention. This address is described as a large funding channel node, processing approximately 274.6 million USDT in comprehensive flow, with a balance close to 0, exhibiting characteristics of "passing through but not holding long-term." This suggests that the entire funding structure may not simply be a "cold wallet of the Central Bank of Iran," but more like:

Upstream funding source/broker → Aggregation wallet → Operational wallet → Clearing hub → Exchange, cross-chain bridge, DeFi, or other settlement paths

This structure aligns more with a mixed network of "state-related funds + third-party financial infrastructure + exchange edge accounts," rather than a simple government wallet model.

Furthermore, according to data from the U.S. Department of the Treasury's official website, there are a total of 9 TRON cryptocurrency addresses explicitly marked as related to Iran in the SDN list. Based on this, this analysis constructed a reference database of sanctioned addresses including 7 known entities such as ZEDCEX exchange, and conducted strict comparisons with the 45 effective counterparties of the sanctioned dual addresses (17 associated with TARGET, 28 associated with TNiq9):

• In the "first hop" verification targeting direct counterparties, the data shows that apart from internal fund transfers between TARGET and TNiq9, neither party has had direct interactions with any Iranian addresses in the reference database.

• In the "second hop" (Hop-2) tracing test aimed at uncovering hidden associations, the investigation scope further covered all upstream and downstream transactions of direct counterparties. On-chain tracking results indicate that all involved upstream funding hubs (such as TCXfh...) and downstream destinations did not show any financial interactions with known Iranian sanctioned addresses within the second hop range.

2.4. Currently Cannot Clearly Prove Direct Control by the Iranian Government

In summary, the current public information supports the following judgments:

• First, the two addresses have been officially marked by OFAC as related to the Central Bank of Iran;

• Second, the on-chain behavior of the two addresses exhibits characteristics of large reserve-type funding pools;

• Third, the two addresses have financial connections with multiple upstream funders, key intermediary hubs, and exchange edge addresses;

• Fourth, there is a direct transfer of 8.6 million USDT between the two addresses.

However, public information still has significant shortcomings: it does not disclose complete investigation materials, does not publicly prove the private key controllers, does not prove that the upstream funder addresses are Iranian government addresses, and does not rule out the involvement of third-party brokers, OTC, custodians, exchange edge accounts, or mixed clearing networks.

The behavior of these two addresses does not resemble typical IRGC wallets; they exhibit mixed exposure with trading infrastructures such as Bitfinex, HTX, Huione, and have been mentioned as overlapping with scam-related flows. These factors weaken the simple narrative that "this is a clean, closed wallet that only belongs to the Iranian government's reserves."

Therefore, this report recommends a more cautious qualification:

These two addresses can be described as "OFAC identified addresses related to the Central Bank of Iran" or "suspected large reserve/aggregation addresses in Iranian-related funding networks," but should not be directly stated as "wallet addresses confirmed to be directly controlled by the Iranian government."

3. Impact Analysis

3.1. Impact on Stablecoins

This incident once again illustrates that centralized stablecoins like USDT are not completely censorship-resistant assets. Although USDT operates on a public chain, the issuer can still execute blacklist and freezing operations on specific addresses at the contract level. Therefore, USDT is more accurately described as a combination of "on-chain dollar certificates + issuer compliance control rights," rather than completely unfrozen on-chain cash. This will have dual impacts: on one hand, compliance agencies and regulatory bodies will recognize the regulatory potential of stablecoins more; on the other hand, users emphasizing decentralization and censorship resistance will reassess the freezing risks of centralized stablecoins.

3.2. Impact on Public Chain Ecosystem

Both frozen addresses are located on the TRON network, indicating that TRON, as a low-fee, high-liquidity USDT transfer network, has become a key focus of on-chain regulation and law enforcement. Future regulation will not only focus on the public chain itself but will pay more attention to stablecoin issuers, exchanges, OTC, cross-chain bridges, wallet service providers, on-chain data service providers, and fiat withdrawal and recharge channels. This means that while public chains technically remain neutral, the assets, entry points, exits, and service providers on them will be subject to real-world regulatory and geopolitical influences.

3.3. Impact on On-Chain Risk Control and Compliance Industry

This incident shows that merely checking "whether it hits the blacklist" is no longer sufficient. Effective risk control needs to combine address profiling, funding flow paths, multi-hop risks, exchange labels, OTC clusters, stablecoin freezing status, and address behavior patterns. Future on-chain compliance systems will need to answer not just "is this address on the OFAC list," but also assess:

• How many hops is this address away from high-risk addresses?

• Has it interacted with sanctioned entities, exchange recharge addresses, cross-chain bridges, or gray OTC?

• Are there any abnormal patterns such as large accumulations, low-frequency outflows, long-term dormancy, or sudden transfers?

Therefore, address profiling, funding flow tracking, multi-hop risk scoring, and stablecoin freezing monitoring will become core capabilities of Web3 risk control products.

3.4. Impact on Regulatory Systems

Traditional sanctions primarily rely on banks, SWIFT, clearing houses, and financial institutions for enforcement, but this incident indicates that stablecoin issuers are becoming part of the sanction enforcement chain. A new on-chain regulatory model may emerge:

OFAC sanctions list + on-chain analysis companies + stablecoin issuers + exchanges + wallet service providers

This mechanism is more immediate than traditional banking systems because on-chain data is public, traceable, and can be monitored automatically. However, it also brings issues such as collateral damage, opaque attribution, and insufficient appeal mechanisms.

3.5. Impact on Ordinary Users and Enterprises

For ordinary users, controlling private keys does not equate to absolute asset security. For centralized stablecoins like USDT and USDC, even if private keys are not leaked, tokens may still be frozen at the contract level for compliance reasons.

For enterprises, accepting USDT payments cannot just look at "whether the funds have arrived," but also needs to consider whether the source of funds is clean. If the payment comes from sanctioned addresses, scam addresses, hacker addresses, or high-risk OTC, there may be subsequent risks of exchanges refusing deposits, account risk controls, fund freezes, and compliance investigations.

Insight Report Source: Global Cybersecurity Alliance

https://www.gcsa.org/

Disclaimer: This article is a submitted work, and the content, data, and opinions expressed are for reference only and do not constitute platform opinions.