1. EventBackground
On April 23, 2026, Tether announced that it had cooperated with the U.S. Department of the Treasury and law enforcement agencies to freeze two USDT addresses on the TRON network, with a total frozen amount of approximately 344 million USDT. The following day, the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury added these two addresses to the SDN sanctions list related to Iran's Central Bank, Bank Markazi, and flagged their connections to sanctioned entities such as the IRGC-Qods Force and Hezbollah. The two addresses that were frozen are as follows:
- Address: TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81; Chain: TRON/TRC20-USDT; Frozen Amount: Approximately 212,922,653 USDT; Current Public Classification: Marked by OFAC as an address associated with the Central Bank of Iran; - Address: TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9; Chain: TRON/TRC20-USDT; Frozen Amount: Approximately 131,288,800 USDT; Current Public Qualification: Marked by OFAC as an address associated with the Central Bank of Iran;
The reason this incident was classified by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury as an “address associated with the Iranian government” is not primarily based on a single on-chain transaction, but rather on multiple lines of evidence:
- First, OFAC directly included two addresses in the Iran Central Bank’s relevant sanctions entries;
- Second, the Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury and on-chain analytics firms believe that these addresses have transactional links to Iranian exchanges, wallets associated with the Central Bank of Iran, and intermediary addresses.
- Third, two addresses have been consistently receiving large amounts of USDT over a long period, rarely transferring funds out, and have remained dormant for extended periods. Their behavioral characteristics are more akin to institutional-level reserves or funding pools rather than ordinary user wallets.
But it needs to be made clear that,OFAC’s designation of sanctions is based on official legal and intelligence assessments; publicly available on-chain data alone cannot directly prove that the private keys are held directly by the Iranian government or the Central Bank of Iran.In other words, what can currently be confirmed is that “U.S. authorities have officially determined that the entity is associated with the Central Bank of Iran,” but we cannot draw the conclusion—that “these two addresses are definitely wallets directly controlled by the Iranian government”—based solely on publicly available on-chain data.
2. DetailedAnalysis
2.1. On-chain characteristics of two frozen addresses
According to on-chain data, both addresses exhibit distinct characteristics: "large inflows, low outflow ratios, and long-term immobility." Among them, TNiq9...ZH81 is the address with the larger balance, having accumulated total historical revenues of approximately 228.6 million USDT and transferred out about 15.73 million USDT, representing an outflow ratio of roughly 6.9%. The frozen balance of TTiDL...Sr9 is approximately 131.3 million USDT, and it was added to the USDT blacklist at 12:02 UTC on April 23, 2026. These types of addresses are neither typical high-frequency money-laundering transit addresses nor exchange hot wallets. A more plausible interpretation is that the two may serve as a “reserve layer” or “consolidation layer” within a certain funds network. TRM Labs’ combined analysis of the two addresses also indicates that they have collectively received approximately 370 million U.S. dollars through about 1,000 transactions—most of which were accumulated by the end of 2023 and have since remained dormant for an extended period, making them more akin to “reserve wallets” than everyday operational wallets.
2.2. The relationship between two frozen addresses
The two addresses are not isolated. As noted in the public analysis, TTiDL...Sr9 once transferred approximately 86 million USDT to TNiq9...ZH81. This transaction indicates a direct financial link between the two addresses, supporting the conclusion that they belong to the same funding structure or the same operational network.
However, this does not mean that “the two entities are necessarily directly controlled by the Central Bank of Iran.” A more accurate statement would be: This $8.6 million USDT transfer demonstrates a financial coordination relationship between the two entities, but it does not prove who actually controls the private keys in the real world, nor does it rule out the possibility that a third-party broker, OTC platform, call center operator, or clearinghouse might be holding or operating these funds on their behalf.
2.3. Upstream Transaction Address Analysis
According to the public ledger and preliminary analysis, several key upstream addresses include:
- Address: TD2BiYkihphjrK35YQy1QGxGotSo86vVnk; Role Identification: Primary upstream funder; Relationship to the frozen address: Source of funds at approximately 29M/30M level; Conclusion: Likely an upstream funding pool, broker, or call management address.
- Address: TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t; Role Identification: Primary upstream funder; Relationship to the frozen address: Source of funds at approximately 16.5M level; Conclusion: Funder-001 constitutes the same funding pathway.
- Address: TYkdG6k1987mkfU5ZzYf9ZK3xi989jNMPJ; Role Identification: Secondary Funder; Relationship to Frozen Address: Smaller Amount; Conclusion: Has significance in providing supporting evidence for a shared funding structure.
- Address: TGzGetNjyDNv4ByMaLwPqG3U8tskNwQsbL; Role Identification: Secondary Funder; Relationship to Frozen Address: Smaller Amount; Conclusion: More likely to be an edge or test-type upstream address.
- Address: TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh; Role Identification: Key Transit Hub;Relationship with the frozen address: Approximately 274.6 million USDT in total transaction volume; Conclusion: More akin to a clearing or transit node
Among them, Funder-001 and Funder-002 are of particular significance. Rather than being small, fragmented entries from individual investors, these addresses receive relatively large sums of money in a more concentrated manner into the same funding structure, suggesting that the frozen addresses may be linked to institutional-level funding sources, OTC brokers, multi-address management platforms, or clearing networks. Funder-001 and Funder-002 cannot simply be labeled as “Iranian government addresses”; a more precise description would be “suspected upstream high-value funding source addresses, potentially representing either the supply side or the brokerage end of Iran-related funding networks.” Furthermore, the key hub TCXfh...AEWh deserves even greater attention. This address is described as a high-volume funds transit node, handling approximately 274.6 million USDT in total transaction volume, with a balance nearing zero—a characteristic of a transit node that “passes through but does not hold for long periods.” This suggests that the entire funding structure may not merely be a simple “cold wallet belonging to the Central Bank of Iran,” but rather resembles something more complex:
Upstream funding source/broker → Aggregation wallet → Operational wallet → Clearing Hub → Exchange, cross-chain bridge, DeFi, or other settlement pathways
This structure better aligns with a hybrid network comprising “state- related funds + third-party financial infrastructure + exchange-edge accounts,” and Not a single-government wallet model.
Meanwhile, according to data from the official website of the U.S. Department of the Treasury, there are a total of 9 TRON cryptocurrency addresses related to Iran explicitly listed on the SDN List. Based on this information, this analysis has built a sanctions address reference database that includes 7 known entities, such as the ZEDCEX exchange, and has conducted a rigorous comparison against the 45 valid counterparties involved in the two addresses currently under sanctions (17 associated with TARGET and 28 associated with TNiq9):
- In the “first-hop” verification targeting direct trading counterparties, the data show that, aside from internal fund transfers between TARGET and TNiq9, neither party has engaged in direct interactions with any Iranian addresses listed in the reference database.
- In the “Hop-2” tracing test—designed to identify hidden connections—the investigation has been further extended to cover upstream and downstream transactions involving all direct counterparties. On-chain tracking results show that, within the Hop-2 scope, no funds have been found flowing between any of the involved upstream funding hubs (such as TCXfh...) and their downstream destinations and known Iranian sanctions addresses.
2.4. Currently, it cannot be clearly proven that the address is directly controlled by the Iranian government.
Overall, the publicly available information currently supports the following judgment:
- First, the two addresses have been officially designated by OFAC as addresses associated with the Central Bank of Iran;
- Second, the on-chain behaviors of the two addresses exhibit characteristics of large-reserve liquidity pools;
- Third, the two addresses have fund connections with multiple upstream funders, key transit hubs, and exchange edge addresses;
- Fourth, there is a direct transfer of 8.6 million USDT between the two addresses.
However, publicly available information still has significant shortcomings: the full investigation materials have not been disclosed; there is no public proof identifying the owner of the private key; there is no evidence confirming that the upstream funder’s address is indeed the address of the Iranian government; and it remains impossible to rule out the involvement of third-party brokers, OTC platforms, call centers, exchange edge accounts, or mixnet clearing networks.
The behaviors of these two addresses don’t resemble those typical of IRGC wallets; they exhibit mixed exposure to trading infrastructure such as Bitfinex, HTX, and Huione, and have previously been linked to overlaps with scam-related activity. All these factors undermine the simplistic narrative that “this is a clean, closed address exclusively belonging to the Iranian government’s reserves.”
Therefore, this report recommends adopting a more cautious qualitative approach:
These two addresses can be described as “OFAC-designated Iran Central Bank-related addresses” or “large-value reserve/collection addresses suspected of being part of an Iran-linked financial network,” but they should not be directly labeled as “wallet addresses confirmed to be directly controlled by the Iranian government.”
3. ImpactAnalysis
3.1. Impact on Stablecoins
This incident once again demonstrates that centralized stablecoins such as USDT are not entirely censorship-resistant assets. Although USDT operates on a public blockchain, its issuer still has the ability—at the smart contract level—to impose blacklists and freeze specific addresses. Therefore, USDT is more accurately described as a combination of an “on-chain dollar certificate plus the issuer’s compliance control authority,” rather than fully unfreezable on-chain cash. This situation has a dual impact: on the one hand, compliance organizations and regulatory authorities will place greater emphasis on the manageability of stablecoins; on the other hand, users who prioritize decentralization and censorship resistance will reassess the freezing risks associated with centralized stablecoins.
3.2. Impact on the Public Blockchain Ecosystem
Both frozen addresses are located on the TRON network, indicating that TRON—known as a low-fee, highly liquid USDT transfer network—has become a key focus of on-chain regulatory and law enforcement attention. In the future, regulators will not only focus on the public blockchains themselves but will also pay closer attention to stablecoin issuers, exchanges, OTC platforms, cross-chain bridges, wallet service
providers, on-chain data service providers, and fiat-to-crypto and crypto-to-fiat on-ramps and off-ramps. This means that although public blockchains remain technically neutral, the assets, entry points, exit points, and service providers on them are subject to real-world regulatory and geopolitical influences.
3.3. Impact on On-Chain Risk Control and Compliance Industries
This incident demonstrates that simply checking “whether a name is on the blacklist” is no longer sufficient. Truly effective risk management requires integrating address profiling,
Funds flow paths, multi-hop risks, exchange labels, OTC clusters, stablecoin freeze statuses, and address behavior patterns. In the future, on-chain compliance systems will need to answer not just whether “this address is on the OFAC list,” but also determine:
- How many hops away is this address from a high-risk address?
- Have you ever interacted with sanctioned entities, exchange deposit addresses, cross-chain bridges, or gray-market OTC platforms?
- Are there any abnormal patterns such as large-scale deposits, infrequent transactions, long-term dormancy, or sudden transfers?
Therefore, address profiling, fund flow tracking, multi-hop risk scoring, and stablecoin freeze monitoring will become the core capabilities of Web3 risk management products.
3.4. Impact on the Regulatory System
Traditional sanctions have primarily relied on banks, SWIFT, clearing houses, and financial institutions for enforcement. However, this incident demonstrates that stablecoin issuers are now becoming part of the sanctions enforcement chain. In the future, a new on-chain regulatory model may emerge:
OFAC Sanctions List + On-Chain Analytics Firm + Stablecoin Issuer + Exchange + Wallet Service Provider
This mechanism is more immediate than the traditional banking system because on-chain data is public, traceable, and can be automatically monitored. However, it also brings about issues such as false positives, opaque attribution, and insufficient appeal mechanisms.
3.5. Impact on Ordinary Users and Enterprises
For ordinary users, control of the private key does not equate to absolute asset security. For centralized stablecoins such as USDT and USDC, even if the private key hasn't been compromised, the tokens could still be frozen at the contract level for compliance reasons.
For businesses, accepting USDT payments shouldn't just focus on whether the funds have been credited; it's also crucial to ensure that the source of the funds is clean. If the funds are received from sanctioned addresses, scam addresses, hacker addresses, or high-risk OTC platforms, you may subsequently face risks such as exchange refusal to credit funds, account risk controls, fund freezes, and compliance investigations.
Insight Report Source: Global Cybersecurity Alliance
https://www.gcsa.org
Joy
Sanya
Brian
Kikyo
Edmund
JinseFinance