Global Cybersecurity Alliance Insights: 344 Million USDT Frozen on TRON Chain by OFAC: Stablecoin Regulatory Risks Under Renewed Attention

avatar
ME News
This article is machine translated
Show original
This incident once again demonstrates that centralized stablecoins like USDT are not entirely censorship-resistant assets. Although USDT operates on a public blockchain, the issuer can still blacklist and freeze specific addresses at the contract level. Therefore, USDT is more accurately described as a combination of "on-chain USD certificate + issuer's compliant control," rather than completely unfreezeable on-chain cash. This will have a dual impact: on the one hand, compliance agencies and regulators will be more accepting of the regulatory viability of stablecoins; on the other hand, users who emphasize decentralization and censorship resistance will reassess the freezing risks of centralized stablecoins.

Article author: 0x9999in1

Source: Global Cybersecurity Alliance https://www.gcsa.org

1. Background of the event

On April 23, 2026, Tether announced that it was cooperating with the U.S. Treasury Department and law enforcement agencies to freeze two USDT addresses on the TRON network, freezing a total of approximately 344 million USDT. The following day, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) added these two addresses to the relevant SDN sanctions information of the Central Bank of Iran, Bank Markazi, and noted their association with sanctioned entities such as IRGC-Qods Force and Hizballah. The two frozen addresses are:

  • Address: TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81; Chain: TRON/TRC20-USDT; Frozen Amount: Approximately 212,922,653 USDT; Current Public Classification: OFAC tagged as an address related to the Central Bank of Iran;
  • Address: TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9; Chain: TRON/TRC20-USDT; Frozen Amount: Approximately 131,288,800 USDT; Current Public Classification: OFAC-tagged as an address related to the Central Bank of Iran;

The reason this incident was characterized by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) as an "Iranian government-related address" is not primarily based on a single on-chain transaction, but rather on multiple assessments:

  • First, OFAC directly added the two addresses to the relevant sanctions list of the Central Bank of Iran;
  • Second, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) and on-chain analysis agencies believe that these addresses have transaction paths with Iranian exchanges, wallets related to the Central Bank of Iran, and intermediary addresses.
  • Third, the two addresses consistently receive large amounts of USDT, transfer out infrequently, and remain dormant for extended periods, exhibiting behavior characteristics more akin to institutional reserves or liquidity pools than ordinary user wallets.

However, it needs to be clarified that OFAC's sanctions are based on official legal and intelligence assessments. The publicly available on-chain data itself cannot directly prove that the private keys are directly controlled by the Iranian government or the Central Bank of Iran. In other words, what can be confirmed at present is that "the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has determined that it is related to the Central Bank of Iran," but we cannot conclude that "these two addresses must be wallets directly controlled by the Iranian government" solely based on publicly available on-chain data.

2. Detailed Analysis

2.1. On-chain characteristics of the two frozen addresses

On-chain data shows that both addresses exhibit clear characteristics of "large inflows, low outflows, and long-term accumulation." Specifically, TNiq9...ZH81 has a larger balance, with a historical total inflow of approximately 228.6 million USDT and a total outflow of approximately 15.73 million USDT, representing an outflow rate of about 6.9%. TTiDL...Sr9 has a frozen balance of approximately 131.3 million USDT and was added to the USDT blacklist at 12:02 UTC on April 23, 2026.

This behavior doesn't resemble typical high-frequency money laundering relay addresses, nor does it resemble exchange hot wallets. A more reasonable understanding is that the two addresses may be in a "reserve layer" or "aggregation layer" within a certain funds network. TRM Labs' combined analysis of the two addresses also suggests that they received approximately $370 million in total, across about 1,000 transactions. Most of the funds were accumulated before the end of 2023 and then remained dormant for a long period, making them more like "reserve wallets" than daily-operational wallets.

2.2. The relationship between the two frozen addresses

The two addresses are not isolated. Public analysis mentions that TTiDL...Sr9 transferred approximately 8.6 million USDT to TNiq9...ZH81. This transaction indicates a direct financial connection between the two addresses, supporting the conclusion that they belong to the same financial structure or the same operating network.

However, this does not equate to "both being directly controlled by the Central Bank of Iran." A more accurate statement is: this 8.6 million USDT transfer proves the existence of a financial coordination relationship between the two parties, but it does not prove the actual controller of the private keys in the real world, nor does it rule out the possibility that a third-party broker, OTC, custodian, or clearinghouse held or operated the funds on their behalf.

2.3. Analysis of upstream and downstream addresses

Based on publicly available graphs and preliminary analysis, several key upstream addresses include:

  • Address: TD2BiYkihphjrK35YQy1QGxGotSo86vVnk; Role identification: Main upstream Funder; Relationship with frozen address: Funds source at approximately 29M/30M level; Conclusion: Possibly an upstream fund pool, broker, or escrow address;
  • Address: TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t; Role Assessment: Main upstream Funder; Relationship with the frozen address: Approximately 16.5M level funding source; Conclusion: Forms the same batch of investment path as Funder-001;
  • Address: TYkdG6k1987mkfU5ZzYf9ZK3xi989jNMPJ; Role Judgment: Sub-Funder; Relationship with Frozen Address: Small Amount; Conclusion: Significant for supplementary proof of a common funding structure;
  • Address: TGzGetNjyDNv4ByMaLwPqG3U8tskNwQsbL; Role Judgment: Secondary Funder; Relationship with Frozen Address: Small Amount; Conclusion: More like an edge or test upstream address;
  • Address: TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh; Role Assessment: Key Relay Hub; Relationship with Frozen Addresses: Approximately 274.6 million USDT in total traffic; Conclusion: More like a liquidation/relay node;

Among them, Funder-001 and Funder-002 are the most significant. They don't represent fragmented inflows from retail investors, but rather large, concentrated amounts entering the same funding structure, indicating that the frozen addresses may be connected to institutional funding sources, OTC brokers, multi-address custody or clearing networks. Funder-001 and Funder-002 cannot be simply described as "Iranian government addresses"; a more precise description is "suspected upstream large-scale funding source addresses, possibly representing the supply side or brokerage side of Iranian-related funding networks." Furthermore, the key Hub TCXfh...AEWh deserves even more attention. This address is described as a large-scale funding channel node, handling approximately 274.6 million USDT in total flow, with a balance close to zero, exhibiting a "passing through but not long-term holding" transit characteristic. This suggests that the entire funding structure may not be a simple "Central Bank of Iran cold wallet," but more like:

Upstream funding sources/brokers → Aggregator wallets → Operational wallets → Clearing Hub → Exchanges, cross-chain bridges, DeFi, or other settlement paths

This structure is more in line with a hybrid network of "nationally-related funds + third-party financial infrastructure + exchange edge accounts" than a single government wallet model.

Meanwhile, according to data from the U.S. Treasury Department's official website, there are a total of nine Iranian-related TRON cryptocurrency addresses explicitly marked on the SDN list. Based on this, this analysis constructed a sanctioned address reference database including seven known entities such as the ZEDCEX exchange, and conducted a rigorous comparison of 45 valid counterparties (17 associated with TARGET and 28 associated with TNiq9) of the sanctioned dual addresses:

  • In the "first hop" verification of direct counterparties, data showed that apart from internal fund transfers between TARGET and TNiq9, neither party had direct interaction with any Iranian addresses in the reference database.
  • In the "Hop-2" attribution test, designed to uncover hidden connections, the investigation expanded to include all upstream and downstream transactions of all direct counterparties. On-chain tracking results showed that no financial transactions were found between any of the involved upstream funding hubs (such as TCXfh...) and downstream destinations and known Iranian sanctioned addresses within the two-hop scope.

2.4. It cannot currently be definitively proven that the address is directly controlled by the Iranian government.

In summary, the currently available information supports the following conclusions:

  • First, both addresses have been officially identified by OFAC as being related to the Central Bank of Iran;
  • Second, the on-chain behavior of the two addresses exhibits characteristics of a large reserve fund pool;
  • Third, the two addresses have financial connections with multiple upstream Funder, key transit hubs, and exchange edge addresses;
  • Fourth, there was a direct transfer of 8.6 million USDT between the two addresses.

However, the publicly available information is still clearly insufficient: complete investigative materials have not been disclosed, the private key controller has not been publicly identified, the upstream Funder address has not been proven to be the Iranian government address, and the possibility of involvement by third-party brokers, OTCs, custodians, exchange peripheral accounts, or hybrid clearing networks has not been ruled out.

These two addresses do not behave like typical IRGC wallets; they have mixed exposures with transaction infrastructures such as Bitfinex, HTX, and Huione, and have been mentioned as overlapping with scam-related flows. These factors undermine the simplistic narrative that "this is a clean, closed address belonging solely to the Iranian government's reserves."

Therefore, this report recommends a more cautious qualitative approach:

These two addresses can be described as "addresses related to the Central Bank of Iran as identified by OFAC" or "addresses for large reserves/collection in suspected Iranian-related financial networks," but should not be directly described as "wallet addresses confirmed to be directly controlled by the Iranian government."

3. Impact Analysis

3.1. Impact on Stablecoins

This incident once again demonstrates that centralized stablecoins like USDT are not entirely censorship-resistant assets. Although USDT operates on a public blockchain, the issuer can still blacklist and freeze specific addresses at the contract level. Therefore, USDT is more accurately described as a combination of "on-chain USD certificate + issuer's compliant control," rather than completely unfreezeable on-chain cash. This will have a dual impact: on the one hand, compliance agencies and regulators will be more accepting of the regulatory viability of stablecoins; on the other hand, users who emphasize decentralization and censorship resistance will reassess the freezing risks of centralized stablecoins.

3.2. Impact on the public blockchain ecosystem

Both frozen addresses are located on the TRON network, indicating that TRON, as a low-fee, high-liquidity USDT transfer network, has become a key focus of on-chain regulation and enforcement. Future regulation will not only focus on the public chain itself, but will also pay more attention to stablecoin issuers, exchanges, OTC markets, cross-chain bridges, wallet service providers, on-chain data service providers, and fiat currency deposit and withdrawal channels.

This means that while public blockchains maintain technical neutrality, the assets, entry points, exit points, and service providers on them will be affected by real-world regulations and geopolitics.

3.3. Impact on On-Chain Risk Control and Compliance Industries

This incident demonstrates that simply checking whether an address is on a blacklist is insufficient. Truly effective risk control requires a combination of address profiling, fund flow paths, multi-hop risk, exchange tags, OTC clusters, stablecoin freeze status, and address behavior patterns. Future on-chain compliance systems will need to answer not only "Is this address on the OFAC list?", but also:

  • How many hops away is this address from the high-risk address?
  • Have you ever been exposed to sanctioned entities, exchange deposit addresses, cross-chain bridges, or grey OTC markets?
  • Are there any abnormal patterns such as large amounts of money being deposited, low-frequency billing, long-term dormancy, or sudden transfers?

Therefore, address profiling, fund flow tracking, multi-hop risk scoring, and stablecoin freeze monitoring will become the core capabilities of Web3 risk control products.

3.4. Impact on the regulatory system

Traditional sanctions primarily rely on banks, SWIFT, clearing banks, and financial institutions for enforcement. However, this incident demonstrates that stablecoin issuers are becoming part of the sanctions enforcement chain. This may lead to new on-chain regulatory models in the future.

OFAC Sanctions List + On-Chain Analytics Companies + Stablecoin Issuers + Exchanges + Wallet Service Providers

This mechanism is more real-time than the traditional banking system because on-chain data is public, traceable, and can be monitored automatically. However, it also brings problems such as false positives, opaque attribution, and insufficient appeal mechanisms.

3.5. Impact on ordinary users and businesses

For ordinary users, private key control does not equate to absolute asset security. For centralized stablecoins like USDT and USDC, even if the private key is not leaked, the tokens may still be frozen at the contract level for compliance reasons.

For businesses, accepting USDT payments shouldn't be limited to just whether the funds have arrived; they also need to ensure the source of the funds is clean. If the payment comes from sanctioned addresses, fraudulent addresses, hacker addresses, or high-risk OTC markets, they may subsequently face risks such as exchanges refusing deposits, account risk control measures, fund freezes, and compliance investigations.

Insight report source: Global Cybersecurity Alliance

https://www.gcsa.org/

Sector:
SEC Security Token
Stablecoin
Layer 1
Source
Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.
Like
Add to Favorites
Comments
Relevant content