KALLISTI BLOCKCHAIN FORENSICS
TRC-20 (USDT primary asset) + native TRX
---
Target Wallet Address
TFvuXyB7AhCV7jZcC9uukZDqrqCvsZQMJh
Report Date: 2026-06-01 · Prepared by Kallisti Blockchain Forensics
Wallet Identity · Financial Overview · Holdings · Activity Patterns · Account Structure
| Entity | TFvuXyB7AhCV7jZcC9uukZDqrqCvsZQMJh |
| Blockchain | TRON mainnet · TRC-20 USDT wallet |
| Account Age | 518 days (1.42 years) ‖ Active: 2024-12-17 02:10:48 UTC → 2026-05-20 00:25:57 UTC |
| TRX Balance | 148.9935 TRX |
| Transactions | 70 total · 46 USDT transfers (40 in · 6 out) · 11 counterparties |
| Total USDT In | $221.04M |
| Total USDT Out | $75.00M |
| Net Balance | $146.04M |
This is a USDT accumulation wallet with treasury characteristics: 66% balance retention ($146M of $221M inflows held), concentrated sourcing from a small controlled feeder set, and infrequent bulk outflows. The wallet does not interact with DeFi protocols, does not receive material exchange deposits, and does not exhibit retail spending patterns. The operational signature is that of a dedicated single-purpose treasury account.
Inbound transfers range from four $100 activation probes — standard address ownership verification — to single deposits of $36M, with the dominant tranche size in the $5M–36M institutional range. Outbound transfers are strictly round: $60,000,000 on 2025-03-15 and $15,000,000 on 2026-02-12. Variable inbound sizes combined with round-number outflow discipline is consistent with instruction-driven treasury disbursement.
The wallet is a standard TRON external account (EOA), not a smart contract. Address reuse is total across 518 days; all 11 counterparties interact with the same single address. The TRX float of 148.99 TRX is deliberately maintained at a level sufficient for bandwidth and energy without over-funding. Outflow concentration is extreme: two counterparties received 100% of outbound value on only two calendar dates across 518 active days.
Friday carries 2.2% of events vs. Monday–Thursday at 78.3% (peak Tuesday, 34.8%); hourly peak 08:00–16:00 UTC maps to Gulf working hours (UTC+3/+4) — consistent with an Islamic business calendar operator. The 222-day dormancy (2025-03-15 to 2025-10-23) is the defining feature: $60M dispatched, silence, then a $67.6M two-day burst on resumption — deliberate operational pause, not abandonment.
The wallet shows no evidence of automated or scripted operation. Transfer intervals are highly irregular (ranging from same-day batches to multi-month gaps), batch sizes vary widely, and no fixed-schedule or equal-amount pattern is present. The human-operated profile is reinforced by the business-hours DOW concentration and the manual address-probe pattern at activation.
| S1 | Tronscan — On-chain dataset · tronscan.org/#/address/TFvuXyB7AhCV7jZcC9uukZDqrqCvsZQMJh |
| S2 | OKLink — TRON Address Detail · www.oklink.com/tron/address/TFvuXyB7AhCV7jZcC9uukZDqrqCvsZQM… |
Counterparty Map · Inflow Architecture · Outflow Architecture
Upstream · Top 5 Funders
| ID | Address | Volume in | Attribution | Risk |
|---|---|---|---|---|
| A1 | TKJa5yhD6SX42CbZjwuArnc1o3MJ5ZNeug | $87.10M | Unattributed | MEDIUM |
| A2 | TG1behizYfNrrzAoNS1tSL86pEbgb53LtN | $66.43M | Unattributed | MEDIUM |
| A3 | TPXfkQLTytwww2SrRY63vMrCmwy3t8theN | $39.22M | Unattributed | MEDIUM |
| A4 | TNS17kGeCNke3PRrj7tteuyiwbR4q8Ls1B | $28.28M | Unattributed | MEDIUM |
| A5 | TAzsQ9Gx8eqFNFSKbeXrbi45CuVPHzA8wr | $7,166.55 | Binance: Withdraw_18 | LOW |
Downstream · Top 5 Destinations
| ID | Address | Volume out | Attribution | Risk |
|---|---|---|---|---|
| B1 | TWvr9cZLK9995Nxg7Qans8opngwSi21V6R | $60.00M | Relay — Pass-Through | MEDIUM |
| B2 | TKBs4Fwyz7dk8mBW726zNytnGHWEmTDSLQ | $15.00M | Unattributed | MEDIUM |
| B3 | TWvrxbCvRvvy3tL5yfvPZ66wndwiD21V6R | $0.00 | Unattributed | LOW |
Account Structure · Protocol Interactions · Threat Exposure
| Address Type | TRON External Account (EOA) — standard externally controlled address |
| Script Encoding | TRC-20 USDT account · native TRX |
| UTXO Count | N/A — TRON account model |
| Clustering | None identified — Arkham, OKLink, and Tronscan carry no cluster or entity label |
| Service Label | None — unattributed across all sources |
| VASP Exposure | Indirect — $7,166.55 received from Binance: Withdraw_18 (…45CuVPHzA8wr) on 2026-01-10 |
| Wallet Software | Unknown — no characteristic on-chain footprint |
| Category | Status |
|---|---|
| Exchange Deposits / Withdrawals | LIMITED Indirect — $7,166.55 received from Binance (Withdraw_18) on 2026-01-10 · no direct exchange deposit or withdrawal identified |
| DeFi / Smart Contract Interaction | NONE None identified |
| Lightning Network Channels | N/A N/A — TRON |
| Ordinals / Inscriptions | N/A N/A — TRON |
| Mixing / CoinJoin Services | NONE None identified |
| Cross-Chain Bridges | NONE None identified |
| Sanctions-Listed Address Contact | NONE None identified |
| Date | Category | Source | Nominal | Outcome |
|---|---|---|---|---|
| 2026-06-01 | Address Poisoning | …96ZmcTDRde | 136,959,514 stUSD units airdropped — USDT name-mimic; clipboard hijack risk | LOW |
| 2026-06-01 | Address Poisoning | …oi3nmg4hnE | AML-named token airdropped — social-engineering probe for compliance reviewers | LOW |
Security rating ADEQUATE (62/100). The wallet is a standard TRON external account with no multisig protection, timelock, or smart-contract custody. The TRX float is appropriately sized for operational needs without over-funding. The primary security exposure is address poisoning: two targeted instruments have been airdropped, indicating this wallet is on active adversarial lists. A $146M balance without enhanced custody is a material operational risk; any operator sending from this address should verify recipient addresses independently of clipboard copy-paste workflows.
| CRITERION | FINDING | ASSESSMENT | |
| 1. Sanctions (OFAC/EU/UN) | CLEAR | ||
| 2. Fraud/Scam Exposure | CLEAR | ||
| 3. Ransomware/Darknet | CLEAR | ||
| 4. Mixer/CoinJoin | CLEAR | ||
| 5. Exchange Source Verif. | MONITOR | ||
| 6. Structuring/Layering | MONITOR | ||
| 7. Third-Party Risk | MONITOR | ||
| 8. Address Poisoning | MONITOR |
The wallet has no DeFi, staking, cross-chain bridge, or protocol interaction of any kind. All 70 on-chain transactions are TRC-20 USDT transfers or associated zero-value contract events. The absence of protocol entanglement simplifies AML assessment: there is no DeFi obfuscation layer, no bridge-hop complexity, and no staking contract encumbrance to account for.
Flagged Patterns & Significant Observations
| ID | Date | Event | Severity | Significance |
| A-01 | 2025-03-15 | 222-Day Operational Dormancy. Following a $60M outflow on 2025-03-15, the wallet recorded no on-chain activity for 222 days, resuming 2025-10-23 with $67.6M in two-day inflows. | NOTABLE | Extended dormancy immediately after a large outflow may indicate a compliance review, key-holder unavailability, or a deliberate operational pause. |
| A-02 | 2024-12-17 | Address Verification Probes at Activation. Four separate $100 USDT transfers received on wallet activation date before the first substantive deposit ($21.56M on same date). | LOW | Consistent with address ownership verification by multiple parties before committing large capital; not adverse. |
| A-03 | 2025-03-15 | Zero-Value TRC-20 Events on Outflow Date. Two $0.00 TRC-20 transfer events recorded on the same date as the $60M outflow. | LOW | Likely contract trigger calls associated with the outflow transaction; not adverse. |
TFvuXyB7AhCV7jZcC9uukZDqrqCvsZQMJh is an unattributed TRON USDT wallet holding $146.04M, accumulating $221.04M from four coordinated feeder wallets over 518 days. Source attribution is entirely unresolved for 99.6% of inflows. Activity pattern and timezone signature point to a Gulf-region operator (UTC+3/+4, Islamic business calendar). Two outflow events totalling $75M route through a relay wallet with $716M lifetime throughput connecting to an unidentified downstream cluster. AML risk is assessed LOW — no confirmed adverse indicator identified; four MONITOR items (source unverifiability, aggregation pattern, relay outflows, address poisoning) are investigation priorities.
Hypothesis Assessment
Probabilities sum to 100%. Attribution confidence: MEDIUM.
This report documents a $146M unattributed USDT treasury on the TRON blockchain. No sanctions exposure, fraud reports, or confirmed AML violations have been identified; the LOW rating reflects four unresolved MONITOR items rather than confirmed contamination; the inability to verify the source of 99.6% of inflows and the use of a relay intermediary for outflows. The wallet warrants continued monitoring and, where jurisdiction permits, counterparty verification requests to establish beneficial ownership.
Government Records · Press Coverage · Research & Analytics · Blockchain Intelligence
Priority Actions & Engagement Opportunities
| P1 | Counterparty Attribution — Top 4 Feeder Wallets — Submit TKJa5yhD6SX42CbZjwuArnc1o3MJ5ZNeug, TG1behizYfNrrzAoNS1tSL86pEbgb53LtN, TPXfkQLTytwww2SrRY63vMrCmwy3t8theN, and TNS17kGeCNke3PRrj7tteuyiwbR4q8Ls1B to analytics platforms and cross-reference against OTC broker databases; these four wallets represent 99.6% of total inflows. · On-chain |
| P2 | Relay Downstream Tracing — Trace hop-1 relay (TWvr9cZLK9995Nxg7Qans8opngwSi21V6R) and its principal destinations TDXbhgxcFM7fnaTzz45HSzJMfCryE7kHme ($512.6M) and TDZ1caSxEinGpkFd9NjRdTsdws5qtawvF8 ($204M) to identify the terminus entity — likely an exchange or unregulated OTC desk. · On-chain |
| P3 | Beneficial Ownership Inquiry — If subject is under legal review, issue a voluntary disclosure or MLAT request to the operator of the primary feeder wallets to establish beneficial ownership of the subject address. · Legal |
| P4 | Monitoring Alert — Set automated alerts on subject wallet and the four feeder addresses for large-value USDT movements (threshold ≥$5M); the wallet remains active as of 2026-05-20. · On-chain |
Recommended actions are prioritised by investigative yield. Attribution of the four principal feeder wallets is the highest-value step as it would resolve the source of 99.6% of total inflows. Relay downstream tracing is the second priority and would identify the fund destination. Beneficial ownership inquiry requires legal process but would definitively resolve the operator identity.
| REF | SOURCE |
|---|---|
| S1 | On-chain dataset -- TRC-20 Transfers https://tronscan.org/#/address/TFvuXyB7AhCV7jZcC9uukZDqrqCvs… Full TRC-20 transfer history via Tronscan API. Retrieved 2026-06-01. |
| S2 | On-chain dataset -- Raw Transactions https://tronscan.org/#/address/TFvuXyB7AhCV7jZcC9uukZDqrqCvs… Full transaction log via Tronscan API. Retrieved 2026-06-01. |
| S3 | Arkham -- Address Profile https://intel.arkm.com/explorer/address/TFvuXyB7AhCV7jZcC9uu… Screenshot captured 2026-06-01. File: screenshot_arkham.png |
| S4 | Tronscan -- Address Profile https://tronscan.org/#/address/TFvuXyB7AhCV7jZcC9uukZDqrqCvs… Screenshot captured 2026-06-01. File: screenshot_tronscan.png |
| S5 | Oklink -- Address Profile https://www.oklink.com/tron/address/TFvuXyB7AhCV7jZcC9uukZDq… Screenshot captured 2026-06-01. File: screenshot_oklink.png |
| TERM | DEFINITION |
|---|---|
| USDT (Tether) | A US dollar-pegged stablecoin issued by Tether Ltd; on the TRON blockchain it is a TRC-20 token and the most widely used settlement asset for large-value transfers. |
| TRC-20 | The TRON network standard for fungible tokens, equivalent to ERC-20 on Ethereum; USDT on TRON operates under this standard. |
| TRON | A high-throughput, low-fee public blockchain network widely used for USDT transfers, particularly in Asia and the Middle East; native currency is TRX. |
| Feeder wallet | A wallet that aggregates funds from multiple sources and forwards them to a central address; used to collect and consolidate capital before onward transfer. |
| Relay wallet | A wallet that receives funds and immediately forwards them to one or more downstream addresses, retaining no residual balance; a classical layering instrument in multi-hop fund movement. |
| Address poisoning | An attack technique where a small amount of a look-alike or airdrop token is sent to a target wallet, hoping the victim copies the attacker’s address from transaction history when making future transfers. |
| Address probe | A very small test transfer (typically $1–$100) sent to verify that a wallet address is live and correctly specified before committing a larger transaction. |
| EOA (Externally Owned Account) | A standard blockchain account controlled by a private key, as opposed to a smart contract; TRON EOAs offer no multisig or programmable custody features. |