Source: Global Cybersecurity Alliance

1. Context of the incident

On 23 April 2026, Tether announced the freezing of USDT addresses on two Tron networks in cooperation with the United States Treasury Department and law enforcement agencies, amounting to approximately 344 million USDT. The following day, the United States Treasury Office of Foreign Assets Control (OFAC) added these two addresses to the related SSN sanctions information of the Central Bank of Iran, Bank Markazi, and identified them as being linked to sanctions targets such as IRGC-Qods Force and Hizballah. The two frozen addresses are:

• Address: TNiq9AXBp9EjUqhDhrwrfvA8U3GUQZH81; chain: Tron/TC20-USDT; frozen amounts: approximately 212,922,653 USDT; current public characterization: OFAC is marked as the relevant address of the Central Bank of Iran

• Address: TiDLWE6fZK8okMJv6Jg42yrH6W2pjSr9; chain: TRON/TRAC20-USDT; frozen amount: about 131,288,800 USDT; current public characterization: OFAC is marked as the relevant address of the Central Bank of Iran

THIS INCIDENT WAS CHARACTERIZED BY THE OFFICE OF FOREIGN ASSETS CONTROL (OFAC) OF THE UNITED STATES DEPARTMENT OF THE TREASURY AS “THE RELEVANT ADDRESS OF THE IRANIAN GOVERNMENT” AND WAS BASED MAINLY ON MULTIPLE JUDGEMENTS, RATHER THAN TRADING IN A SINGLE CHAIN:

FIRST, OFAC DIRECTLY PLACES TWO ADDRESSES IN THE RELEVANT SANCTIONS ENTRIES OF THE CENTRAL BANK OF IRAN

SECOND, THE OFFICE OF FOREIGN ASSETS CONTROL (OFAC) OF THE UNITED STATES DEPARTMENT OF THE TREASURY AND THE CHAIN ANALYSIS AGENCIES BELIEVE THAT THESE ADDRESSES HAVE A TRADE PATH WITH THE IRANIAN EXCHANGE, THE RELEVANT CENTRAL BANK OF IRAN WALLETS AND INTERMEDIATE ADDRESSES

THIRD, THE TWO ADDRESSES RECEIVE USDTS IN LARGE AMOUNTS OVER TIME, WITH LOW FREQUENCY TRANSFER, LONG SLEEP AND BEHAVIOURAL CHARACTERISTICS CLOSER TO INSTITUTIONAL LEVEL RESERVES OR POOLS RATHER THAN ORDINARY USER WALLETS。

IT NEEDS TO BE MADE CLEAR, HOWEVER, THAT THE CHARACTERIZATION OF OFAC’S SANCTIONS IS AN OFFICIAL LEGAL AND INTELLIGENCE JUDGEMENT, AND THAT THE DISCLOSURE OF INFORMATION IN THE CHAIN DOES NOT IN ITSELF DIRECTLY PROVE THAT THE PRIVATE KEY IS IN THE HANDS OF THE IRANIAN GOVERNMENT OR THE CENTRAL BANK OF IRAN. IN OTHER WORDS, WHAT CAN BE CONFIRMED AT THIS POINT IS THAT “THE OFFICE OF FOREIGN ASSETS CONTROL (OFAC) OF THE UNITED STATES DEPARTMENT OF THE TREASURY HAS DETERMINED THAT IT IS RELEVANT TO THE CENTRAL BANK OF IRAN, BUT IT CANNOT RELY SOLELY ON OPEN-CHAIN DATA TO CONCLUDE THAT “THE TWO ADDRESSES MUST BE WALLETS UNDER THE DIRECT CONTROL OF THE IRANIAN GOVERNMENT.”。

Detailed analysis

2.1 Chain features of two frozen addresses

According to the data on the chain, both addresses were characterized by a marked “large inflow, low-scale outflow, long-term deposition”. Of these, TNiq9 ZH81 is a larger address with a total historical income of approximately 228.6 million USDT, with a total transfer of about 1,573 million USDT, with a transfer rate of about 6.9 per cent; TiDL Sr9 has a frozen balance of about 131.3 million USDT and was added to the USDT blacklist on 23 April 2026 at 12:02 UTC。

Such acts do not resemble typical high-frequency money-laundering transit addresses or exchange hot wallets. It is more reasonable to understand that both may be in a “reserve” or “decentralized” financial network. TRM Labs' combined analysis of the two addresses also concluded that they had received approximately $370 million cumulatively, about 1,000 transactions, most of which had been accumulated by the end of 2023, followed by prolonged sleep, more like “reserve wallets” than daily operating wallets。

2.2 Relationship between the two frozen addresses

The two addresses do not exist in isolation. Public analysis mentioned that TiDL Sr9 had transferred about 8.6 million USDTs to TNiq9... ZH81. This transaction indicates a direct financial link between the two addresses, supporting their judgement that they belong to the same financial structure or the same operating network。

BUT THIS DOES NOT MEAN THAT “THE TWO MUST BE UNDER THE DIRECT CONTROL OF THE CENTRAL BANK OF IRAN”. MORE PRECISELY, THE $8.6 MILLION USDT TRANSFER PROVES THAT THERE IS A FINANCIAL COORDINATION RELATIONSHIP BETWEEN THE TWO, BUT IT DOES NOT PROVE THAT PRIVATE KEY CONTROLLERS IN THE REAL WORLD, NOR DOES IT EXCLUDE THE POSSIBILITY OF THIRD-PARTY BROKERS, OTCS, TRUSTEES OR LIQUIDATORS HOLDING OR OPERATING ON THEIR BEHALF。

2.3 Upstream transaction analysis

According to the public mapping and prior period analysis, several more important upstream addresses include:

• Address: TD2BiYkihphjrK35YQy1GxGotSo86vVnk; role judgement: main upstream Funder; relationship to frozen address: approximately 29M / 30M level of funding; conclusion: may be upstream pool, broker or hosting address

• Address: TZ3xL5jeBXyo8jPvh2veBJZCJJZJZHq81t; role judgement: main upstream Funder; relationship to frozen address: approximately 16.5M level of funding; conclusion: the same funding path as Funder-001

• Address: TYkdG6k 1987mkkfU5ZZYf9ZK3xi989jNMPJ; role judgement: sub-Funder; relationship to frozen address: small amount; conclusion: has the value of supporting proof of co-financing structure

• Address: TGzGetNjyDv4ByMaLwPqG3U8tskNwQsbL; role judgement: secondaryFunder; relationship to frozen address: smaller amount; conclusion: more like a peripheral or test-type upstream address

• Address: TCXfhTD6pbfCEoACPcbf2EnnhMAEWh; role judgement: key transit Hub; relationship to frozen address: approximately 274.6 million USDT combined flows; conclusion: more like liquidation/transit nodes

Of these, Funder-001 and Funder-002 have the greatest significance. They are not scattered entries, but rather larger amounts and more centralized entry into the same financial structure, indicating that frozen addresses may be linked to institutional sources of funding, OTC brokers, multiple address hosting or clearing networks. Funder-001, Funder-002 cannot be simply described as “the address of the Government of Iran”, which is more narrowly described as a “suspected address of a substantial upstream source of funds, which may represent the supply or broker of Iran's relevant financial networks”。

Besides, the key to Hub TCXfh... is even more noteworthy. The address is described as a large financial corridor node, which handles approximately 274.6 million USDT combined flows, with a balance close to 0, as shown by the transit feature of “passed but not held permanently”. This suggests that the overall funding structure may not be a simple "cool wallet of the central bank of Iran" but more like:

Upstream source of funds / broker consolidate wallets, operate wallets, liquidate Hub exchange, cross-link bridge, DeFi or other settlement path

This structure is more in line with a mixed network of “State-related finance + third-party financial infrastructure + exchange edge accounts” rather than a single government purse model。

At the same time, according to official United States Treasury website data, a total of nine relevant Tron encrypted currency addresses in Iran are clearly indicated in the SSN list. On this basis, the analysis builds a reference database for sanctions addresses that includes seven known entities, such as the ZEDEX Exchange, and provides a rigorous comparison between 45 active trading opponents (17 TARGET and 28 TNiq9) with the current double address:

In the “first jump” verification of the direct counterparty, the data showed that neither party had any direct interaction with any of the Iranian addresses in the reference library, except for internal transfers between TARGET and TNiq9。

In the “second jump” (Hop-2) retrospective test, which is designed to screen hidden connections, the scope of the survey is further extended to all upstream and downstream transactions of direct opponents. The chain tracking results indicate that none of the upstream financial hubs involved (e.g. TCXfh...) or downstream movements have been identified within the 2nd jump with known Iranian sanctions addresses。

2.4 Directly controlled addresses cannot be clearly established by the Government of Iran

Taken together, the public information currently supports the following findings:

FIRST, TWO ADDRESSES HAVE BEEN OFFICIALLY MARKED BY OFAC AS THE RELEVANT ADDRESS OF THE CENTRAL BANK OF IRAN

Second, the behaviour on the two address chains has the characteristics of a large reserve pool

Third, two addresses have financial links to multiple upstream Funder, key transit Hub, and exchange edge addresses

FOURTH, THERE IS A DIRECT TRANSFER OF 8.6 MILLION USDT BETWEEN THE TWO ADDRESSES。

However, the disclosure of information remains manifestly deficient: complete investigative material has not been disclosed, private key controllers have not been publicly identified, the upstream Funder address has not been shown to be the address of the Government of Iran, and the involvement of third-party brokers, OTC, trustees, exchange edge accounts or mixed clearing networks has not been excluded。

The two addresses did not behave like typical IRGC wallets; they were mixed with exposures of trading infrastructure such as Bitfinex, HTX, Huione and were mentioned as overlapping with scam-relayed cash. These factors have weakened the simple narrative that “this is a clean, closed address that belongs only to the Government of Iran”。

The report therefore recommends a more cautious characterization:

THESE TWO ADDRESSES CAN BE DESCRIBED AS “THE RELEVANT ADDRESS OF THE CENTRAL BANK OF IRAN AS DETERMINED BY OFAC” OR AS “THE LARGE STOCK OF SUSPECTED IRAN-RELATED FINANCIAL NETWORKS” AND IT IS NOT APPROPRIATE TO DESCRIBE THEM DIRECTLY AS “THE WALLET ADDRESS IDENTIFIED AS DIRECTLY CONTROLLED BY THE GOVERNMENT OF IRAN”。

3. Impact analysis

3.1 Impact on currency stability

THE INCIDENT AGAIN DEMONSTRATED THAT CENTRALIZED STABILIZATION CURRENCIES SUCH AS USDT WERE NOT ENTIRELY RESISTANT TO CENSORSHIP. ALTHOUGH THE USDT OPERATES ON THE PUBLIC CHAIN, THE ISSUER CAN STILL BLACKLIST AND FREEZE A SPECIFIC ADDRESS AT THE CONTRACTUAL LEVEL. THEREFORE, USDT IS MORE ACCURATELY A COMBINATION OF “CHAIN-BASED DOLLAR VOUCHERS + ISSUER'S CONTROL OVER COMPLIANCE”, RATHER THAN A COMPLETELY UNFREEZING CHAIN OF CASH。

This would have a double impact: on the one hand, compliance agencies and regulators would have more acceptance of the regulatory nature of stable currencies; and, on the other hand, users emphasizing decentrization and resistance would reassess the risks of freezing centrally stable currencies。

3.2 Impacts on communal chain ecology

BOTH OF THE FROZEN ADDRESSES ARE LOCATED ON THE TRON NETWORK, WHICH INDICATES THAT TRON, AS A LOW-COST, HIGHLY MOBILE USDT TRANSFER NETWORK, HAS BECOME THE FOCUS OF CHAIN CONTROL AND ENFORCEMENT. RATHER THAN FOCUSING SOLELY ON THE PUBLIC CHAIN ITSELF, FUTURE REGULATION WILL FOCUS MORE ON STABILIZERS, EXCHANGES, OTCS, CROSS-CHAIN BRIDGES, WALLET SERVICE PROVIDERS, CHAIN-BASED DATA SERVICE PROVIDERS AND ACCESS TO FRENCH CURRENCY。

This means that, while the public chain is technically neutral, the Chamber of Commerce of Assets, Imports, Exports and Services on board is subject to realistic regulation and geopolitical influence。

3.3 Impact on chain-up wind control and compliance

THE INCIDENT SHOWED THAT SIMPLY CHECKING WHETHER THE “BLACKLIST” HAD BEEN STRUCK WAS NO LONGER SUFFICIENT. A TRULY EFFECTIVE WIND CONTROL REQUIRES A COMBINATION OF ADDRESS PORTRAITS, FINANCIAL FLOW PATHS, MULTIPLE JUMP RISKS, EXCHANGE LABELS, OTC CLUSTERS, STABLE CURRENCY FREEZING AND ADDRESS BEHAVIOUR PATTERNS。

THE FUTURE CHAIN COMPLIANCE SYSTEM NEEDS TO ANSWER MORE THAN “IS THIS ADDRESS ON THE OFAC LIST” AND TO JUDGE:

How far is this address from a high-risk address

HAVE ANY CONTACT WITH SANCTIONS ENTITIES, EXCHANGE-VALUE ADDRESSES, CROSS-CHAIN BRIDGES OR GREY OTC

Are there unusual patterns of heavy deposition, low-frequency payments, prolonged hibernation, sudden transfer etc.

As a result, site graphics, financial flow tracking, multiple risk rating and stabilization currency freezing monitoring will be the core capabilities of Web3 wind control products。

3.4 Impact on the regulatory system

WHILE TRADITIONAL SANCTIONS RELY MAINLY ON BANKS, SWIFT, CLEARING HOUSES AND FINANCIAL INSTITUTIONS, THIS INCIDENT SHOWS THAT THE ISSUERS OF STABLE CURRENCY ARE BECOMING PART OF THE CHAIN OF SANCTIONS ENFORCEMENT. A NEW CHAIN-BASED REGULATORY MODEL MAY EMERGE IN THE FUTURE:

OFAC SANCTIONS LIST + CHAIN ANALYSIS COMPANY + STABLE MONEY ISSUER + EXCHANGE + WALLET SERVICE BUSINESS

This mechanism is more immediate than the traditional banking system, as the chain is open, traceable and automated. But there are also issues such as injuries, black box attributions and inadequate complaint mechanisms。

3.5 Impact on general users and enterprises

FOR ORDINARY USERS, PRIVATE KEY CONTROL DOES NOT AMOUNT TO ABSOLUTE ASSET SECURITY. IN THE CASE OF USDT, USDC, WHICH IS A CENTRAL STABILIZER, THE TOKEN MAY BE FROZEN AT THE CONTRACTUAL LEVEL FOR COMPLIANCE REASONS EVEN IF THE PRIVATE KEY IS NOT DISCLOSED。

FOR ENTERPRISES, THE ACCEPTANCE OF USDT PAYMENTS CANNOT BE BASED SOLELY ON “ATTRIBUTION” BUT ALSO ON THE CLEANNESS OF THE SOURCES OF FUNDING. IF THE RECEIPTS COME FROM SANCTIONS ADDRESSES, FRAUDULENT ADDRESSES, HACKER ADDRESSES OR HIGH-RISK OTC, THERE MAY BE RISKS OF EXCHANGE REFUSALS, ACCOUNT CONTROLS, FREEZING OF FUNDS, COMPLIANCE INVESTIGATIONS, ETC。

Insight from:Global Cybersecurity Alliance

This paper is from a contribution and does not represent the Block Beats view