KALLISTI BLOCKCHAIN FORENSICS
TRC-20 (USDT primary asset) + native TRX
---
Target Wallet Address
THHiKCHNQKxrZiRy4rrqy5jitSP3nUvhJY
Report Date: 2026-05-30 · Prepared by Kallisti Blockchain Forensics
Wallet Identity · Financial Overview · Holdings · Activity Patterns · Account Structure
| Entity | THHiKCHNQKxrZiRy4rrqy5jitSP3nUvhJY |
| Blockchain | TRON mainnet · TRC-20 USDT wallet |
| Account Age | 528 days (1.45 years) · 2024-12-17 → 2026-05-29 |
| Transactions | 146 total · 62 USDT transfers (60 in · 2 out) · 19 counterparties |
| Net Balance | $148.90M USDT |
High-value accumulation and staging wallet — institutional-scale batches in, rare large transfers out. No retail behaviour: no payments, DeFi, or exchange deposits in 528 days.
47 of 60 inflows exceed $500K; median ~$2.8M. Near-round figures ($22.54M, $10.46M, $12.51M, $10.10M) indicate manual authorisation or threshold triggers. The $100 probe preceding $19.9M on 2026-04-21 is a deliberate pre-send security step.
43.9 TRX maintained as a gas reserve only — no staking, no Energy or Bandwidth delegation.
Single address; all 60 inflows target it directly. No cross-chain, no DeFi, no multi-sig. 100% of outbound USDT went to one destination.
Three phases: Initialization (Dec 2024, $32.56M in 14 days); Intermission (Jan–Sep 2025, micro-deposits only); Resumption (Oct 2025–present, weekly institutional batches). Tuesdays account for 47% of transfers (29/62); no other day exceeds 15%.
Hourly peaks at 07:00, 14:00, and 23:00 UTC (6 each) — three equal-weight batch windows ~7–9h apart. The 23:00 UTC peak maps to 07:00 in UTC+8 (Asian morning open), midnight in UTC+1, or 02:00 in UTC+3; most consistent with a UTC+7/+8 operator.
Tuesday concentration, consistent TRX float calibration, probe-then-transfer technique, and regular batch cadence all indicate scripted tooling with human authorisation reserved for large movements.
| S1 | Tronscan — On-chain dataset · tronscan.org/#/address/THHiKCHNQKxrZiRy4rrqy5jitSP3nUvhJY |
| S2 | OKLink — TRON Address Detail · www.oklink.com/tron/address/THHiKCHNQKxrZiRy4rrqy5jitSP3nUvh… |
Counterparty Map · Inflow Architecture · Outflow Architecture
Upstream · Top 5 Funders
| ID | Address | Volume in | Attribution | Risk |
|---|---|---|---|---|
| A1 | TKJa5yhD6SX42CbZjwuArnc1o3MJ5ZNeug | $67.70M | Unattributed | MEDIUM |
| A2 | TNS17kGeCNke3PRrj7tteuyiwbR4q8Ls1B | $35.14M | Unattributed | MEDIUM |
| A3 | TPXfkQLTytwww2SrRY63vMrCmwy3t8theN | $29.80M | Unattributed | MEDIUM |
| A4 | TG1behizYfNrrzAoNS1tSL86pEbgb53LtN | $24.30M | Unattributed | MEDIUM |
| A5 | TKYqptTcgQjmibSBsHdeuuTYVXHJ3MGLjA | $11.96M | Unattributed | MEDIUM |
Downstream · Top 5 Destinations
| ID | Address | Volume out | Attribution | Risk |
|---|---|---|---|---|
| B1 | TGim18wzQBKbBF7ESnEhYkPQ8jQvu58aRq | $20.00M | Unattributed | MEDIUM |
Account Structure · Protocol Interactions · Threat Exposure
| Address Type | Standard TRON Account — T-prefix, 34-character Base58Check |
| Script Encoding | TRC-20 USDT (contract TR7NHqjeKQxGTCi8q8ZY4pL8otSZgjLj6t) |
| UTXO Count | N/A — TRON uses an account model, not UTXO |
| Clustering | Unattributed — no entity assignment in Arkham or OKLink |
| Service Label | None — no exchange, custodian, or VASP label at any source |
| VASP Exposure | None confirmed — zero interaction with labelled exchanges across 528 days |
| Wallet Software | Unknown — programmatic management indicators present (scheduled transfers, automated TRX float) |
| Category | Status |
|---|---|
| Exchange Deposits / Withdrawals | NONE None — zero VASP interaction in full transaction history |
| DeFi / Smart Contract Interaction | NONE |
| Lightning Network Channels | N/A N/A — TRON |
| Ordinals / Inscriptions | N/A N/A — TRON |
| Mixing / CoinJoin Services | NONE |
| Cross-Chain Bridges | NONE |
| Sanctions-Listed Address Contact | NONE None confirmed — supply chain fully unattributed |
Investigative confidence is high for on-chain data (complete transfer history, API results consistent with three independent screenshot sources) and moderate-to-high for behavioural profiling (Tuesday scheduling, three-phase lifecycle, automation indicators). Confidence is necessarily low for attribution: the complete absence of VASP labels at any hop is itself a meaningful data point — wallets of this scale and age that have never touched a labelled exchange are rare in legitimate financial contexts. The primary analytical uncertainty is whether the unattributed funders represent a single controlling entity (treasury model) or multiple independent sources (aggregation model). This distinction has material implications for hypothesis assessment but cannot be resolved without additional hop analysis or legal process compelling exchange disclosure.
| CRITERION | FINDING | ASSESSMENT | |
| 1. Sanctions (OFAC/EU/UN) | CLEAR | ||
| 2. Fraud/Scam Exposure | MONITOR | ||
| 3. Ransomware/Darknet | CLEAR | ||
| 4. Mixer/CoinJoin | CLEAR | ||
| 5. Exchange Source Verif. | UNVERIFIED | ||
| 6. Structuring/Layering | FLAG | ||
| 7. Third-Party Risk | CLEAR | ||
| 8. Address Poisoning | MONITOR |
The hop-2 analysis of TKJa5yhD6SX42CbZjwuArnc1o3MJ5ZNeug reveals a hub-and-spoke distribution structure in which a single high-volume wallet routes funds to at least three identified destination wallets, of which THHiKCHN receives approximately 15.6% of sampled outflows. Two other TKJa5 destinations — TSpWeehYseWa47KtnghFSycCwZTfGdyHcR ($32M) and TKRm55cdi4zVopmWDiHmdTsj1MWj8h8TkD ($21.4M) — have not been screened and may represent parallel accumulation points within the same network. The complete absence of attribution across this two-hop network, combined with the scale (over $72.5M sampled at TKJa5 alone), is statistically improbable in a legitimate financial context where at least some touchpoints would typically be labelled exchanges or known OTC desks. The implication is either a highly sophisticated attribution-avoidance strategy or a network operating entirely within an unregulated or undisclosed financial ecosystem.
Flagged Patterns & Significant Observations
| ID | Date | Event | Severity | Significance |
| A-01 | 2026-04-21 | $20M Pass-Through Extraction. Probe transfer of $100 USDT followed by $19,999,900 to TGim18wzQBKbBF7ESnEhYkPQ8jQvu58aRq — a wallet with 10 total transactions — which immediately forwarded the entire balance to TPEb895qfVQjto6gpENC9MJQ8j3D1UpksT with zero retention. | FLAG | Only material outflow in 528 days. Probe-then-transfer technique and single-use pass-through routing constitute a recognised two-step fund layering pattern. |
| A-02 | 2024-12-17 | Rapid Initialisation — $32.56M in 14 Days. Seven transfers totalling $32.56M received in the first 14 days of wallet life. Four of the seven were $100 USDT probe transfers preceding larger institutional amounts. | NOTABLE | Deliberate wallet staging: probe-confirm-fund. No exploratory activity preceding the first large deposit — consistent with planned deployment. |
| A-03 | LIFETIME | Tuesday Scheduling Concentration — 47%. 29 of 62 recorded transfers fall on Tuesdays. No other day exceeds 15%. Statistical probability of this distribution under random operation is below 0.1%. | NOTABLE | Strongly indicative of scheduled or automated operation with a weekly cadence anchored to Tuesdays, consistent across all three operational phases. |
THHiKCHNQKxrZiRy4rrqy5jitSP3nUvhJY is an unattributed TRON USDT wallet that has accumulated $168.9 million across 60 inbound transfers over 528 days, retaining $148.9 million on-chain as of the report date. The wallet demonstrates institutional-scale operational discipline: a minimal TRX gas reserve maintained at precisely calibrated levels, Tuesday-concentrated transaction scheduling consistent with automated tooling, probe-transaction technique deployed before large outbound transfers, and relay-only counterparties at every verified hop across two levels of analysis. No exchange, custodian, or VASP label has been identified at any point in the supply chain.
The single material outbound transfer — $20 million on 21 April 2026 — was routed through a wallet with 10 total transactions that immediately forwarded the full balance to a further unattributed address, a pattern consistent with deliberate fund layering. The primary funder (TKJa5..., $67.7M, 40.1%) distributes to multiple wallets in a hub-and-spoke structure, placing THHiKCHN as one node in a broader unattributed network rather than the terminus of a bilateral relationship.
The combination of scale, total supply chain opacity, scheduling regularity, and layering-consistent extraction method supports the primary hypothesis that this wallet is a professionally managed treasury or staging position within a larger financial operation. A secondary hypothesis of organised fraud or darknet proceeds aggregation is supported by the zero-retention relay funder profile and phishing-network address exposure. AML risk is assessed as MEDIUM, with a FLAG on Structuring/Layering and MONITOR ratings on Fraud/Scam Exposure and Address Poisoning. Immediate investigative priorities are attribution of all five hop-1 funders and tracing of TPEb895qfVQjto6gpENC9MJQ8j3D1UpksT, the terminal destination of the $20M extraction.
Hypothesis Assessment
Probabilities sum to 100%. Attribution confidence: MODERATE.
Monitor for any new outbound transfers from THHiKCHN — with $148.9M on-chain, the next extraction event is the highest-priority alert trigger. Set threshold alerts on TGim18wzQBKbBF7ESnEhYkPQ8jQvu58aRq and TPEb895qfVQjto6gpENC9MJQ8j3D1UpksT for further movement of the extracted $20M. Extend hop-2 analysis to the remaining four hop-1 funders (TNS17, TPXfk, TG1be, TKYqp) — only TKJa5 was sampled; the others may reveal different funder profiles or attributable exchange touchpoints. Investigate TSpWeehYseWa47KtnghFSycCwZTfGdyHcR and TKRm55cdi4zVopmWDiHmdTsj1MWj8h8TkD, the two largest destinations of TKJa5, which may be parallel accumulation wallets in the same network. Screen all five hop-1 addresses against Chainabuse and any available TRON threat intelligence databases.
Government Records · Press Coverage · Research & Analytics · Blockchain Intelligence
OSINT section complete. No entity attribution at Arkham, OKLink, or Tronscan. Address has been targeted by multiple phishing/spam token contracts, confirming its presence in illicit-network address lists.
Priority Actions & Engagement Opportunities
| P1 | Trace $20M Extraction Chain — Follow TPEb895qfVQjto6gpENC9MJQ8j3D1UpksT to determine the final disposition of the $20M outflow from 2026-04-21. On-chain tracing via Tronscan and OKLink. · On-chain |
| P2 | Attribute Hop-1 Funders — Submit all five primary funder addresses to exchange compliance teams or attribution vendors (Chainalysis, Elliptic, TRM) for KYC and entity lookup. · OSINT |
| P3 | Threat Intelligence Screen — Query Chainabuse and TRON-specific threat databases for TKJa5yhD6SX42CbZjwuArnc1o3MJ5ZNeug, TNS17kGeCNke3PRrj7tteuyiwbR4q8Ls1B, and the three remaining hop-1 funders. · OSINT |
| P4 | Expand Hop-2 Network — Investigate TSpWeehYseWa47KtnghFSycCwZTfGdyHcR ($32M) and TKRm55cdi4zVopmWDiHmdTsj1MWj8h8TkD ($21.4M) — the two largest TKJa5 destinations not yet screened. · On-chain |
| P5 | SAR Threshold Assessment — The $20M layering-consistent extraction and zero-attribution $168.9M supply chain may meet SAR filing thresholds in applicable jurisdictions. Review against local regulatory requirements. · SAR |
Priority one is the $20M extraction chain: TPEb895qfVQjto6gpENC9MJQ8j3D1UpksT has not been traced beyond one additional hop and may have already dispersed funds further across the network. Priority two is hop-1 funder attribution — if any single funder is identified as a regulated exchange or VASP, the entire supply chain risk assessment requires immediate revision, and the MEDIUM overall rating would likely be elevated. The Tuesday scheduling pattern creates a temporal correlation opportunity: cross-referencing other wallets in the TKJa5 hub-and-spoke network for same-day transfer events may reveal coordinated operation and help establish whether a single controller manages multiple nodes.
| REF | SOURCE |
|---|---|
| S1 | Tronscan -- On-chain Data https://tronscan.org/#/address/THHiKCHNQKxrZiRy4rrqy5jitSP3n… Full TRC-20 transfer history, raw transaction log, and address profile via Tronscan API and explorer. Retrieved 2026-05-30. |
| S2 | Arkham -- Address Profile https://intel.arkm.com/explorer/address/THHiKCHNQKxrZiRy4rrq… Screenshot captured 2026-05-30. File: screenshot_arkham.png |
| S3 | OKLink -- Address Profile https://www.oklink.com/tron/address/THHiKCHNQKxrZiRy4rrqy5ji… Screenshot captured 2026-05-30. File: screenshot_oklink.png |
| TERM | DEFINITION |
|---|---|
| Relay Wallet | A wallet whose primary function is to receive funds and forward them without balance retention, adding transactional hops between source and destination to obscure the trail. |
| Probe Transaction | A small transfer (typically $1–$100) sent to a destination address immediately before a large payment to verify the address is active and the recipient is correct. |
| Layering | The second stage of money laundering in which funds are moved through a series of transactions to distance them from their source and complicate the audit trail. |
| Pass-Through Wallet | A wallet created for one or a small number of transfers, used to relay funds and then abandoned — providing a disposable intermediary hop. |
| VASP | Virtual Asset Service Provider — a regulated entity such as a cryptocurrency exchange, OTC desk, or custodian subject to AML and KYC obligations. |
| Hub-and-Spoke | A network topology in which one central wallet (the hub) funds multiple recipient wallets (spokes); common in OTC settlement operations and organised fund distribution networks. |
| TRC-20 | The TRON token standard for fungible tokens. USDT on TRON is a TRC-20 token issued against the contract TR7NHqjeKQxGTCi8q8ZY4pL8otSZgjLj6t. |
| SAR | Suspicious Activity Report — a regulatory filing required in many jurisdictions when a financial institution identifies potentially illicit activity meeting defined thresholds. |