KALLISTI BLOCKCHAIN FORENSICS
TRC-20 (USDT primary asset) + native TRX
---
Target Wallet Address
TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81
Report Date: 2026-05-30 · Prepared by Kallisti Blockchain Forensics
Wallet Identity · Financial Overview · Holdings · Activity Patterns · Account Structure
| Entity | Blocked |
| Blockchain | TRON mainnet · TRC-20 USDT wallet |
| Account Age | 1,847 days (5.06 years) ‖ Active: 2021-03-04 05:41:00 UTC → 2026-03-25 20:18:45 UTC |
| TRX Balance | 415.9351 TRX |
| Transactions | 446 total · 227 USDT transfers (166 in · 61 out) · 99 counterparties |
| Total USDT In | $228.65M |
| Total USDT Out | $15.73M |
| Net Balance | $212.92M |
Net accumulator with extreme retention: $228.65M received across 166 inbound events; only $15.73M disbursed in 61 outflows over 1,847 days — a 93.1% retention rate. The single dominant counterparty (TCXfhTDMuS, 72.8% of inflows) and near-total absence of VASP contact are consistent with a state-level sanctions evasion reserve designed to accumulate USDT outside the regulated financial system.
Inflows span micro-amounts to very large tranches; the dominant funder contributed $166.5M across multiple batches including at least one transfer exceeding $100M. Outflows are smaller and more frequent (61 events averaging ~$258K each), suggesting operational disbursements — salary payments, procurement, or subsidiary funding — rather than treasury cycling. No round-sum structuring pattern; irregular batch sizes indicate discretionary rather than scheduled outflows.
Arkham labels this address "Central Bank of Iran"; OKLink carries independent #Blocked and #Sanction tags; OFAC SDN designation confirmed. $212.92M USDT remains unfrozen — Tether has not exercised its freeze capability despite clear SDN status, leaving the full balance liquid and transferable. TRX balance of 415.9 TRX provides a minimal gas reserve (energy staked: 0), sufficient for the current low-frequency operational pace.
DOW peaks Saturday (18.5%) and Sunday (20.3%); 38.8% of 227 transactions fell on weekends — consistent with fully automated treasury software. UTC 05–10 accounts for 44.5% of all activity, mapping to 08:30–13:30 IRST (Iranian morning business window); secondary peak at UTC 19 (12.3%) indicates an overnight batch process. Operator timezone: Iran / Tehran (UTC+3:30).
Two distinct daily operating windows (UTC 05–10 and UTC 19) combined with weekend-dominant scheduling confirm automated execution rather than manual operation. The absence of any DeFi, bridge, or protocol interaction across the full 5-year history indicates a purpose-built, isolated treasury wallet — no exploratory or retail behaviour. Sub-$200 activity since January 2024 suggests the accumulation programme concluded and the wallet has been placed in passive reserve status.
| S1 | Tronscan — On-chain dataset · tronscan.org/#/address/TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81 |
| S2 | OKLink — TRON Address Detail · www.oklink.com/tron/address/TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH… |
Counterparty Map · Inflow Architecture · Outflow Architecture
Upstream · Top 5 Funders
| ID | Address | Volume in | Attribution | Risk |
|---|---|---|---|---|
| A1 | TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh | $166.57M | Unattributed | MEDIUM |
| A2 | TD2BiYkihphjrK35YQy1QGxGotSo86vVnk | $29.99M | Unattributed | MEDIUM |
| A3 | TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t | $16.50M | Unattributed | MEDIUM |
| A4 | TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9 | $8.60M | Unattributed | MEDIUM |
| A5 | TJ45EBCYKxRuxXhWUnWvpTYKfudbPDtunS | $5.09M | Unattributed | MEDIUM |
Downstream · Top 5 Destinations
| ID | Address | Volume out | Attribution | Risk |
|---|---|---|---|---|
| B1 | TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh | $11.17M | Unattributed | MEDIUM |
| B2 | TNBVWn7BBvQ2Lsm7K2fXCNF5qU1XXcny3o | $1.49M | Unattributed | MEDIUM |
| B3 | TScxFMKmra6sfK2KDkZGHkyK6NnECBaVjo | $934,019.00 | Unattributed | MEDIUM |
| B4 | TRX8NbW3gGRyYmDsvkNWjaGgnA74s3ZbRM | $630,294.00 | Unattributed | LOW |
| B5 | TC8pcoJvTNErvZ8BnzPo2otGNdmDwx8STJ | $468,169.00 | Unattributed | LOW |
Account Structure · Protocol Interactions · Threat Exposure
| Address Type | TRON Account — TRC-20 token holder (account model, not UTXO) |
| Script Encoding | N/A — TRON account model; TRC-20 USDT contract TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t |
| UTXO Count | N/A — TRON uses account-based model; no UTXO set |
| Clustering | Arkham: Central Bank of Iran entity cluster; corroborated by OFAC SDN designation and OKLink #Blocked/#Sanction tags |
| Service Label | OFAC SDN — Central Bank of Iran; no exchange or VASP label assigned |
| VASP Exposure | None confirmed — zero regulated exchange, OTC desk, or custodian contact across full 5-year transaction history (166 IN / 61 OUT) |
| Wallet Software | Unknown — likely purpose-built automated treasury software; dual operating windows (UTC 05-10 and UTC 19) with weekend-dominant scheduling indicate scripted execution |
| Category | Status |
|---|---|
| Exchange Deposits / Withdrawals | NONE |
| DeFi / Smart Contract Interaction | NONE |
| Lightning Network Channels | NONE |
| Ordinals / Inscriptions | NONE |
| Mixing / CoinJoin Services | NONE |
| Cross-Chain Bridges | NONE |
| Sanctions-Listed Address Contact | NONE |
99 distinct USDT counterparties — all unattributed. Primary funder and destination: TCXfhTDMuS6... (relay node, also funds TTiDLWE6). Ultimate source: TD2BiYkihphjrK35YQy1QGxGotSo86vVnk (72M into relay). No exchange or VASP contact across 5-year history.
| CRITERION | FINDING | ASSESSMENT | |
| 1. Sanctions (OFAC/EU/UN) | CRITICAL | ||
| 2. Fraud/Scam Exposure | CLEAR | ||
| 3. Ransomware/Darknet | CLEAR | ||
| 4. Mixer/CoinJoin | CLEAR | ||
| 5. Exchange Source Verif. | UNVERIFIED | ||
| 6. Structuring/Layering | FLAG | ||
| 7. Third-Party Risk | CRITICAL | ||
| 8. Address Poisoning | CLEAR |
Accumulation: 2021-03-04 to 2023-12-31 (12.7M received). Dormancy: 2024-01 to present (sub-00 activity). Last transaction: 2026-03-25 (micro-probe, 9.79).
Flagged Patterns & Significant Observations
| ID | Date | Event | Severity | Significance |
| A-01 | LIFETIME | OFAC SDN Designation. Address designated on OFAC Specially Designated Nationals list under Iran-related sanctions programme. | SANCTIONS | Any interaction with this address constitutes a strict-liability OFAC violation. |
| A-02 | 2022–2023 | 12.7M Accumulation via TCXfhTDMuS Relay. Funds routed through intermediary relay node TCXfhTDMuS in multiple large tranches — largest single transfer exceeds 00M. | STRUCTURING | Relay-hop pattern consistent with sanctions evasion layering; funds attributed to Central Bank of Iran entity cluster. |
| A-03 | 2024-01-01 | Operational Dormancy — Balance Frozen. No material outflows since late 2023; 12.92M USDT balance remains static, consistent with asset freeze or deliberate hold pending transfer. | NOTABLE | Extended dormancy on a sanctioned balance of this magnitude warrants continuous monitoring and law-enforcement reporting. |
OFAC SDN-confirmed Central Bank of Iran USDT reserve wallet. 12.92M unfrozen. Connected to second CBI wallet (TTiDLWE6) via relay infrastructure. Dormant since 2024. REJECT/SAR mandatory.
Hypothesis Assessment
Probabilities sum to 100%. Attribution confidence: HIGH.
Monitor for: (1) Any Tether freeze action on this address. (2) Reactivation of large USDT movements after 2024 dormancy. (3) New relay nodes connecting to this address. (4) Legal/regulatory action referencing this address in OFAC enforcement press releases.
Government Records · Press Coverage · Research & Analytics · Blockchain Intelligence
Arkham (Central Bank of Iran entity cluster), OKLink (#Blocked #Sanction), OFAC SDN list, US Treasury press releases, UN Panel of Experts reports, DoJ Operation Economic Fury, Chainalysis crypto crime reporting — all independently corroborate CBI attribution and sanctions status.
Priority Actions & Engagement Opportunities
| P1 | — · |
REJECT all transactions. File SAR if prior interaction. Escalate to compliance officer for secondary sanctions assessment. Notify Tether of unfrozen SDN balance.
| REF | SOURCE |
|---|---|
| S1 | On-chain dataset -- TRC-20 Transfers https://tronscan.org/#/address/TNiq9AXBp9EjUqhDhrwrfvAA8U3GU… Full TRC-20 transfer history via Tronscan API. Retrieved 2026-05-30. |
| S2 | On-chain dataset -- Raw Transactions https://tronscan.org/#/address/TNiq9AXBp9EjUqhDhrwrfvAA8U3GU… Full transaction log via Tronscan API. Retrieved 2026-05-30. |
| S3 | Arkham -- Address Profile https://intel.arkm.com/explorer/address/TNiq9AXBp9EjUqhDhrwr… Screenshot captured 2026-05-30. File: screenshot_arkham.png |
| S4 | Tronscan -- Address Profile https://tronscan.org/#/address/TNiq9AXBp9EjUqhDhrwrfvAA8U3GU… Screenshot captured 2026-05-30. File: screenshot_tronscan.png |
| S5 | Oklink -- Address Profile https://www.oklink.com/tron/address/TNiq9AXBp9EjUqhDhrwrfvAA… Screenshot captured 2026-05-30. File: screenshot_oklink.png |
| TERM | DEFINITION |
|---|---|
| OFAC | Office of Foreign Assets Control — U.S. Treasury body that administers economic and trade sanctions; its Specially Designated Nationals (SDN) list prohibits U.S. persons from transacting with listed individuals, entities, and addresses. |
| SDN (Specially Designated National) | An individual, entity, or address placed on the OFAC SDN list; all property and interests in property subject to U.S. jurisdiction are blocked, and U.S. persons are prohibited from dealing with SDN-listed parties. |
| Operation Economic Fury | April 2026 U.S. Treasury campaign targeting Iranian financial networks; resulted in the OFAC SDN designation of TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81 and TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9, and a coordinated $344M Tether freeze. |
| Tether Freeze / Blacklist | Tether's contractual ability to render USDT tokens non-transferable at a specific address; exercised on April 23–24, 2026 against both CBI-designated wallets, locking ~$344M combined. |
| Bank Markazi (CBI) | The Central Bank of the Islamic Republic of Iran (Bank Markazi Jomhouri Islami Iran) — Iran's central banking authority, designated as an SDN under OFAC Iran sanctions programs since 2019 for financing terrorism and weapons proliferation. |
| IRGC-Qods Force | Islamic Revolutionary Guard Corps Quds Force — the external operations unit of the IRGC, designated as a Foreign Terrorist Organization; OFAC linked this wallet cluster to IRGC-Qods Force and Hezbollah in its April 2026 action. |
| Relay Node | In this report, a wallet that acts as an intermediary: receives funds from one source and redistributes them to multiple destinations, obscuring the direct link between origin and final recipient. TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh is the primary relay node in this network. |
| TRC-20 | A token standard on the TRON blockchain analogous to Ethereum’s ERC-20; USDT (Tether) issued under TRC-20 is the dominant stablecoin used in this case for value storage and transfer. |
| TERM | DEFINITION |
|---|---|
| USDT (Tether) | USD Tether — the world’s largest stablecoin by market cap, pegged 1:1 to the U.S. dollar; issued by Tether Ltd. on multiple blockchains including TRON. Contractually blacklistable by Tether Ltd. at specific addresses. |
| Secondary Sanctions Risk | The risk that non-U.S. persons or entities may face U.S. sanctions consequences for conducting transactions with SDN-listed parties, even when the transaction does not touch the U.S. financial system. |
| SAR (Suspicious Activity Report) | A regulatory filing required of financial institutions under the Bank Secrecy Act (BSA) when suspicious transactions are detected; mandatory for any prior interaction with an OFAC-designated address. |
| Accumulation Pattern | A wallet behaviour characterised by high inflow retention and minimal outflows; in this case, 93.1% of received funds (\$228.65M in, \$15.73M out) were retained, consistent with sovereign reserve storage. |
| Dormancy Phase | A period of no material on-chain activity; this wallet entered dormancy from approximately January 2024 until the April 2026 Tether freeze, holding a static balance of \$212.92M for ~16 months. |
| Closed-Loop Circular Flow | A transaction pattern in which funds are sent to a counterparty and a portion is subsequently returned to the originating wallet; here, \$166.5M was sent to TCXfhTDMuS and \$11.2M returned, creating artificial volume while obscuring net fund flows. |
| AML (Anti-Money Laundering) | The set of laws, regulations, and procedures designed to prevent the generation of income through illegal actions; in crypto context, includes sanctions screening, counterparty attribution, transaction pattern analysis, and suspicious activity reporting. |