KALLISTI BLOCKCHAIN FORENSICS
TRC-20 (USDT primary asset) + native TRX
---
Target Wallet Address
TBwBJwj81yXc4DNKS19GJcpUUzfSWRbBzS
Report Date: 2026-06-03 · Prepared by Kallisti Blockchain Forensics
Wallet Identity · Financial Overview · Holdings · Activity Patterns · Account Structure
| Entity | OKX. Hot Wallet_116 |
| Blockchain | TRON mainnet · TRC-20 USDT wallet |
| Account Age | 5 days (0.01 years) ‖ Active: 2026-05-28 20:27:48 UTC → 2026-06-03 02:01:33 UTC |
| TRX Balance | 45568.7134 TRX |
| Transactions | 96,386 total · 1980 USDT transfers (659 in · 1321 out) · 1216 counterparties |
| Total USDT In | $52.15M |
| Total USDT Out | $80.86M |
| Net Balance | $-28.71M |
Confirmed OKX exchange hot wallet (Hot Wallet_116) — bidirectional high-volume flows consistent with customer withdrawal disbursement and institutional reserve funding. The wallet is 5 days old at scrape time; inflows are 100% OKX institutional. The critical finding is a $22.76M outflow to a confirmed phishing address (OKLink: 'Phishing address'), representing the largest single outflow destination in the wallet's short operational history.
Inflows averaged $79,136 per event (659 events, $52.15M total) reflecting institutional reserve transfers from OKX Withdraw_159 and user routing. Outflows averaged $61,210 per event (1,321 events, $80.86M total) reflecting customer withdrawal disbursements of varying sizes. The 2:1 outbound-to-inbound transfer ratio is standard for exchange withdrawal hot wallet operations.
45,568.71 TRX (≈$15.1K) float maintained for energy and bandwidth. 96,386 transactions in 5 days (19,277/day) confirms continuous automated operation. Principal adverse finding: TMj17yryskb2aP7H9BMgb2qhXKNNaN89Gs (OKLink: ‘Phishing address’) received $22.76M (28.2% of outflows) — OKX customers directed withdrawals to this phishing-controlled address. BTSE Cold Wallet_1 received $18.39M (22.7%) as inter-exchange institutional settlement.
Over 5 days, UTC 14:00 was the hourly peak (143 events, 7.2%) with a broad active cluster from 09:00 to 20:00 UTC. Near-zero activity at 02:00 UTC (17 events) is consistent with a brief maintenance window during China morning hours (10:00 CST). Wednesday and Thursday DOW figures are creation-date artifacts. The distribution is consistent with OKX's Asia Pacific operational base and global user coverage.
Confirmed automated operation. 96,386 transactions in 5 days and continuous bidirectional USDT routing confirm exchange software processing. No manual operation signature is present; withdrawal disbursement is systematic and programmatic.
| S1 | Tronscan — On-chain dataset · tronscan.org/#/address/TBwBJwj81yXc4DNKS19GJcpUUzfSWRbBzS |
| S2 | OKLink — TRON Address Detail · www.oklink.com/tron/address/TBwBJwj81yXc4DNKS19GJcpUUzfSWRbB… |
Counterparty Map · Inflow Architecture · Outflow Architecture
Upstream · Top 5 Funders
| ID | Address | Volume in | Attribution | Risk |
|---|---|---|---|---|
| A1 | TLaGjwhvA8XQYSxFAcAXy7Dvuue9eGYitv | $26.60M | OKX. Withdraw_159 | LOW |
| A2 | TVxG5YKwAtfuM3QmTqWDehk9FYGytru6Xi | $15.53M | OKX. User | LOW |
| A3 | TR2mVXEqL1gcsdhPbT6Z5AoQxKb7L1LxeD | $4.21M | OKX. User | LOW |
| A4 | TXKrjJBiaDqFatpDYGHNowEvVc3i9887KJ | $969,995.70 | OKX. User | LOW |
| A5 | TXAyqdGYU6sSousxoFMVQAUenXUeZqRLPr | $701,399.00 | OKX. User | LOW |
Downstream · Top 5 Destinations
| ID | Address | Volume out | Attribution | Risk |
|---|---|---|---|---|
| B1 | TLaGjwhvA8XQYSxFAcAXy7Dvuue9eGYitv | $26.92M | OKX. Withdraw_159 | MEDIUM |
| B2 | TMj17yryskb2aP7H9BMgb2qhXKNNaN89Gs | $22.76M | Phishing | MEDIUM |
| B3 | TNBDqsyDiHB2j7NaQGyw3Kej6L4MAZGPg5 | $18.39M | BTSE. Cold Wallet_1 | MEDIUM |
| B4 | TLeQfDqi9VeT8VgTgXHtivdsLJiZkB1ro4 | $4.00M | Binance. User | LOW |
| B5 | TTRib8xqiN1sfDBYSAYsG1HQTdxTghvNGa | $3.91M | Binance. User | LOW |
Account Structure · Protocol Interactions · Threat Exposure
| Address Type | TRON Account (EOA) |
| Script Encoding | TRC-20 USDT wallet |
| UTXO Count | N/A — TRON account model |
| Clustering | Arkham: 'OKX: Hot Wallet (TBwBJ)'; OKLink: '#OKX Hot Wallet_116' |
| Service Label | OKX Exchange — Hot Wallet_116 (attribution HIGH) |
| VASP Exposure | OKX exchange (confirmed custodial VASP) |
| Wallet Software | Exchange infrastructure (automated); created 2026-05-28 |
| Category | Status |
|---|---|
| Exchange Deposits / Withdrawals | ACTIVE Confirmed — OKX Hot Wallet_116 withdrawal disbursement function |
| DeFi / Smart Contract Interaction | NONE none identified |
| Lightning Network Channels | NONE |
| Ordinals / Inscriptions | NONE |
| Mixing / CoinJoin Services | NONE |
| Cross-Chain Bridges | NONE |
| Sanctions-Listed Address Contact | NONE none (TMj17 is phishing-labeled, not OFAC/EU/UN sanctioned) |
| Date | Category | Source | Nominal | Outcome |
|---|---|---|---|---|
| 2026-05-28 | Third-Party Risk | …XKNNaN89Gs | $22.76M USDT (28.2% of outflows) | FUNDS SENT |
Network connections bifurcate into two categories: (1) OKX ecosystem (inflows and some outflows) representing the legitimate exchange network; (2) TMj17 phishing address, representing an adverse network link at 28.2% of outflows. BTSE Cold Wallet_1 represents a confirmed institutional inter-exchange connection. The phishing address (TMj17) retains $2.48M USDT, indicating the phishing operation may still be active or the proceeds have not been fully liquidated.
| CRITERION | FINDING | ASSESSMENT | |
| 1. Sanctions (OFAC/EU/UN) | CLEAR | ||
| 2. Fraud/Scam Exposure | CLEAR | ||
| 3. Ransomware/Darknet | CLEAR | ||
| 4. Mixer/CoinJoin | CLEAR | ||
| 5. Exchange Source Verif. | CLEAR | ||
| 6. Structuring/Layering | CLEAR | ||
| 7. Third-Party Risk | ELEVATED | ||
| 8. Address Poisoning | CLEAR |
OKX is a registered global cryptocurrency exchange. The wallet is confirmed OKX infrastructure; its operations are consistent with normal VASP withdrawal disbursement. The phishing counterparty finding (TMj17) does not constitute a regulatory violation by OKX — exchange hot wallets process customer-directed withdrawal requests and do not independently verify every destination address. However, the $22.76M scale of phishing-linked outflows warrants notification to OKX compliance and may trigger SAR reporting obligations under applicable AML regulations for institutions with counterparty exposure to TMj17.
Flagged Patterns & Significant Observations
| ID | Date | Event | Severity | Significance |
| A-01 | 2026-05-28 | Phishing Address Counterparty — $22.76M Outflow. TMj17yryskb2aP7H9BMgb2qhXKNNaN89Gs (OKLink: 'Phishing address') received 28.2% of all outflows ($22.76M) from this OKX hot wallet. Residual balance: $2.48M USDT + $3.34K TRX. | CRITICAL | Largest single outflow destination is a confirmed phishing address. Indicates a large-scale phishing campaign targeting OKX withdrawal customers. The wallet is not the perpetrator; it processed customer-directed withdrawal requests. |
TBwBJwj81yXc4DNKS19GJcpUUzfSWRbBzS is confirmed OKX Hot Wallet_116, independently attributed by Arkham and OKLink. In 5 days: $52.15M in / $80.86M out across 1,980 USDT transfers; 1,216 counterparties. Critical finding: TMj17yryskb2aP7H9BMgb2qhXKNNaN89Gs (OKLink 'Phishing address') received $22.76M (28.2% of outflows) — Third-Party Risk elevated to 0.25. All inflows fully OKX-sourced. AML: LOW. Security: PROFICIENT (90). Attribution: HIGH. Priority action: flag TMj17 and notify OKX compliance.
Hypothesis Assessment
Probabilities sum to 100%. Attribution confidence: 95 / 5.
This wallet is confirmed OKX exchange infrastructure. Any counterparty interaction with this address is an interaction with the OKX platform. The phishing address finding (TMj17, $22.76M) indicates a significant phishing campaign targeting OKX customers. If TMj17 appears in your customer's transaction history, enhanced due diligence and SAR assessment are warranted. If you are an OKX customer who withdrew funds to a phishing address during May–June 2026, contact OKX security immediately.
Government Records · Press Coverage · Research & Analytics · Blockchain Intelligence
Inbound flows are 100% OKX institutional. Outbound routing contains one critical adverse link: TMj17 phishing address ($22.76M, 28.2%). BTSE institutional settlement and 1,200+ customer withdrawals account for the remainder.
Priority Actions & Engagement Opportunities
| P1 | Notify OKX Compliance — Report the phishing counterparty finding (TMj17, $22.76M) to OKX security/compliance team. Request confirmation of the phishing incident and any customer restitution actions. · Regulatory |
| P2 | Flag TMj17 Across All Systems — Add TMj17yryskb2aP7H9BMgb2qhXKNNaN89Gs to all monitoring systems. Track residual $2.48M USDT balance for movement; any outflow may indicate active liquidation of phishing proceeds. · On-chain |
| P3 | SAR Assessment — Evaluate SAR obligations for any institution with documented counterparty exposure to TMj17yryskb2aP7H9BMgb2qhXKNNaN89Gs. · SAR |
| P4 | OSINT — Phishing Address Investigation — Conduct OSINT on TMj17yryskb2aP7H9BMgb2qhXKNNaN89Gs; search for OKX phishing incident reports, security advisories, and any victim disclosures referencing this address or the May–June 2026 period. · OSINT |
Priority action: flag TMj17yryskb2aP7H9BMgb2qhXKNNaN89Gs (phishing address, $22.76M received) across all monitoring systems and notify OKX compliance. The $2.48M residual USDT balance at the phishing address has not been moved — monitoring for outflow will indicate when/if the phishing operator liquidates remaining proceeds.
| REF | SOURCE |
|---|---|
| S1 | On-chain dataset -- TRC-20 Transfers https://tronscan.org/#/address/TBwBJwj81yXc4DNKS19GJcpUUzfSW… Full TRC-20 transfer history via Tronscan API. Retrieved 2026-06-03. |
| S2 | On-chain dataset -- Raw Transactions https://tronscan.org/#/address/TBwBJwj81yXc4DNKS19GJcpUUzfSW… Full transaction log via Tronscan API. Retrieved 2026-06-03. |
| S3 | Arkham -- Address Profile https://intel.arkm.com/explorer/address/TBwBJwj81yXc4DNKS19G… Screenshot captured 2026-06-03. File: screenshot_arkham.png |
| S4 | Tronscan -- Address Profile https://tronscan.org/#/address/TBwBJwj81yXc4DNKS19GJcpUUzfSW… Screenshot captured 2026-06-03. File: screenshot_tronscan.png |
| S5 | Oklink -- Address Profile https://www.oklink.com/tron/address/TBwBJwj81yXc4DNKS19GJcpU… Screenshot captured 2026-06-03. File: screenshot_oklink.png |
| TERM | DEFINITION |
|---|---|
| Phishing Address | An address flagged by blockchain intelligence platforms as associated with phishing operations — typically used to receive funds from victims deceived into providing fraudulent withdrawal or payment destinations. |
| Inter-Exchange Settlement | A transfer between two known exchange cold or treasury wallets representing institutional-level liquidity movement, not a customer transaction — standard in exchange treasury management. |
| Hot Wallet | An exchange-operated online wallet used for processing real-time customer deposits and withdrawals; maintains a working balance of assets for immediate disbursement. |