KALLISTI BLOCKCHAIN FORENSICS
TRC-20 (USDT primary asset) + native TRX
---
Target Wallet Address
TSDHK2dr4iAeDRTsmSMXz2kLgJdK1jnhyd
Report Date: 2026-06-03 · Prepared by Kallisti Blockchain Forensics
Wallet Identity · Financial Overview · Holdings · Activity Patterns · Account Structure
| Entity | Blocked |
| Blockchain | TRON mainnet · TRC-20 USDT wallet |
| Account Age | 710 days (1.95 years) ‖ Active: 2024-06-20 17:00:36 UTC → 2026-05-31 19:41:21 UTC |
| TRX Balance | 6.0100 TRX |
| Transactions | 931 total · 36 USDT transfers (36 in · 0 out) · 26 counterparties |
| Total USDT In | $1.79M |
| Total USDT Out | $0.00 |
| Net Balance | $1.79M |
This wallet exhibits a pure receipt-and-hold pattern with confirmed Tether freeze — a static terminus in a two-hop relay chain. Its behavioral profile is consistent with a fraud or theft destination wallet whose operator lost practical control of the funds upon Tether intervention. No exchange, custodial, DeFi protocol, or commercial activity has been detected beyond a historical Transit Swap interaction noted in OKLink metadata.
A single inbound transfer of $1,790,000 USDT constitutes 99.95% of all USDT value received. Subsequent inflows are sub-$1,000 probes. This size profile — one dominant institutional-scale receipt followed by silence — is inconsistent with retail accumulation, exchange infrastructure, or commercial VASP activity; it is consistent with a targeted fraud-proceeds deposit.
Zero outflows across 710 days; the 6.010012 TRX float is minimal and has never been consumed for fees. A #Transit Swap User tag (OKLink) indicates prior interaction with the Transit Swap DeFi aggregator — likely as a fund-movement tool before the freeze — but no active positions remain. The 931 raw transaction count is inflated by TRON spam airdrop tokens.
Thursday dominates at 41.7% of USDT events; Monday and Wednesday at 13.9% each. UTC 08:00 peak (22.2%); secondary peaks 15:00 (11.1%) and 09:00 (8.3%); dead zones 03:00, 06:00–07:00, 18:00–20:00. Post-freeze distribution is probe-dominated and cannot reliably characterise operator hours. The single meaningful transaction (2024-06-20 17:00 UTC) maps to late-night East Asia; most probable timezone UTC+7 to UTC+9, low confidence.
No evidence of automated operation is present. The single substantive transaction appears manual or semi-manual. All post-freeze inflows are passively received external probes, not operator-generated.
| S1 | Tronscan — On-chain dataset · tronscan.org/#/address/TSDHK2dr4iAeDRTsmSMXz2kLgJdK1jnhyd |
| S2 | OKLink — TRON Address Detail · www.oklink.com/tron/address/TSDHK2dr4iAeDRTsmSMXz2kLgJdK1jnh… |
Counterparty Map · Inflow Architecture · Outflow Architecture
Upstream · Top 5 Funders
| ID | Address | Volume in | Attribution | Risk |
|---|---|---|---|---|
| A1 | TVrQ3eUjXkDnq5xJbv9TfQPdtTQcUXPJRd | $1.79M | Unattributed | MEDIUM |
| A2 | TVRei3E1hEq42UZKSzk29R3cnZPgXAakQN | $800.00 | Unattributed | MEDIUM |
| A3 | TKNaZqrMt1ef3oojYHmgJPJmM6t4JDjzQy | $600.00 | Unattributed | MEDIUM |
| A4 | TFBmyki5C8FJzqaRaCwqRC5p89GfCpNdiG | $36.00 | Unattributed | MEDIUM |
| A5 | TJP3ikWfsFsbbVHc6M424ii2TbnXqyBG9R | $30.00 | Unattributed | MEDIUM |
Downstream · Top 5 Destinations
No outbound transactions as of 31/05/2026
Account Structure · Protocol Interactions · Threat Exposure
| Address Type | TRON Account (EOA) |
| Script Encoding | TRC-20 USDT wallet |
| UTXO Count | N/A — TRON account model |
| Clustering | No Arkham cluster; labeled 'Suspicious Banned by USDT' |
| Service Label | None — Unattributed; confirmed Tether blacklisted |
| VASP Exposure | None confirmed |
| Wallet Software | Unknown; prior Transit Swap DeFi aggregator interaction noted |
| Category | Status |
|---|---|
| Exchange Deposits / Withdrawals | NONE none confirmed |
| DeFi / Smart Contract Interaction | LIMITED Transit Swap aggregator (historical — per OKLink tag; no active positions) |
| Lightning Network Channels | NONE |
| Ordinals / Inscriptions | NONE |
| Mixing / CoinJoin Services | NONE |
| Cross-Chain Bridges | NONE |
| Sanctions-Listed Address Contact | NONE none (Tether blacklist is issuer contractual action, not OFAC/EU/UN sanction) |
| Date | Category | Source | Nominal | Outcome |
|---|---|---|---|---|
| 2024-06-20 | Issuer Freeze (Tether) | Tether Limited | $1,791,526.83 USDT frozen in full | ONGOING |
Network analysis is constrained by the absence of outbound flows. The inbound relay chain is fully resolved at two hops. Beyond TM3t, the upstream chain was not traced in this investigation. The relay wallet TVrQ3e holds 21.644 TRX and zero USDT, consistent with a depleted transit wallet post-forwarding. All five FLOW_INFLOWS counterparties are unattributed; no exchange or entity clustering has been established for any node in the identified chain.
| CRITERION | FINDING | ASSESSMENT | |
| 1. Sanctions (OFAC/EU/UN) | CLEAR | ||
| 2. Fraud/Scam Exposure | FLAG | ||
| 3. Ransomware/Darknet | CLEAR | ||
| 4. Mixer/CoinJoin | CLEAR | ||
| 5. Exchange Source Verif. | MONITOR | ||
| 6. Structuring/Layering | ELEVATED | ||
| 7. Third-Party Risk | MONITOR | ||
| 8. Address Poisoning | CLEAR |
This wallet is subject to a confirmed Tether Limited blacklist — a unilateral contract-level freeze by the USDT issuer under the TRC-20 contract's admin key powers. This mechanism is distinct from, but functionally equivalent to, OFAC sanctions: the balance is frozen and non-transferable, but the authority derives from Tether's terms of service rather than a government designation. Tether has historically applied blacklists in response to law enforcement requests following confirmed hacks or fraud, proactive fraud prevention actions, and court orders. The presence of a blacklist on a $1.79M balance wallet implies Tether has received or independently identified evidence of illicit origin — constituting a material compliance finding. Any institution with counterparty exposure to wallets in this relay chain should conduct enhanced due diligence and consider SAR obligations under applicable AML regulations.
Flagged Patterns & Significant Observations
| ID | Date | Event | Severity | Significance |
| A-01 | 2024-06-20 | $1,790,000 USDT Receipt + Tether Blacklist. Single large inbound transfer via two-hop relay; entire balance subsequently frozen by Tether Limited. OKLink and Arkham both confirm blacklist status. | CRITICAL | Confirmed illicit-origin determination by Tether Limited. The $1.79M USDT is permanently non-transferable — the wallet is an irrecoverable frozen terminus. |
| A-02 | 2024-06-20 | Zero Outflows — 710-Day Dormancy. No outbound USDT transfer has occurred since wallet creation. Operator has been unable to move funds since Tether intervention. | NOTABLE | Consistent with a Tether-frozen address whose operator cannot transact. Sustained dormancy over 710 days with active balance confirms the freeze is effective. |
TSDHK2dr4iAeDRTsmSMXz2kLgJdK1jnhyd is a confirmed Tether-blacklisted TRON wallet holding $1,791,526.83 USDT permanently frozen since receipt on 2024-06-20. The single $1.79M inflow arrived via a two-hop relay (TM3t → TVrQ3e → TSDHK), both hops fully unattributed. Zero outflows in 710 days. AML risk: HIGH — Fraud/Scam 0.85 (confirmed Tether freeze); Structuring 0.25 (two-hop exact-value relay). Attribution: Unattributed — Tether Blacklisted. Security: COMPROMISED (22). Recommended priority action: upstream trace of TM3tNvmfwH2XXQ67qZnoZaWzhnmB35Katv and Tether compliance inquiry to establish criminal investigation status.
Hypothesis Assessment
Probabilities sum to 100%. Attribution confidence: 75 / 20 / 5.
This wallet holds $1.79M in USDT that is legally and technically frozen by Tether Limited — the funds cannot be moved, swapped, bridged, or transferred, and have zero practical utility to any current holder. Any institution that received funds from or sent funds to nodes in this relay chain should treat this as a confirmed fraud-exposure signal and conduct enhanced due diligence on those counterparties. If this wallet address or any node in its relay chain appears in a customer's transaction history, a SAR filing is strongly advisable under standard AML compliance obligations.
Government Records · Press Coverage · Research & Analytics · Blockchain Intelligence
Fund flow terminates at this wallet. No outbound transfers exist. The inbound relay chain is fully resolved at two hops (TM3t → TVrQ3e → TSDHK); upstream of TM3t is uncharted and warrants further investigation.
Priority Actions & Engagement Opportunities
| P1 | Upstream Trace — TM3tNvmfwH2XXQ67qZnoZaWzhnmB35Katv — Trace the hop-2 originator wallet upstream to identify the primary source of the $1,790,000 USDT. Determine whether TM3t connects to a known exchange, OTC desk, or prior fraud-linked address. · On-chain |
| P2 | Tether Compliance Inquiry — Contact Tether Limited compliance to confirm the basis for the blacklist (law enforcement referral, proactive detection, or court order) and whether a criminal investigation is currently active. · Regulatory |
| P3 | SAR Filing Assessment — Assess SAR obligations for any institution with documented counterparty exposure to TSDHK or any node in the identified relay chain (TM3t, TVrQ3e). · SAR |
| P4 | OSINT — Advanced Sweep — Conduct advanced OSINT on TM3tNvmfwH2XXQ67qZnoZaWzhnmB35Katv; search for any reported theft, fraud, or exchange hack in June 2024 involving a $1.79M USDT amount on TRON. · OSINT |
Priority investigation action: trace TM3tNvmfwH2XXQ67qZnoZaWzhnmB35Katv upstream — this is the originator of the $1,790,000 and the key to establishing whether this freeze is connected to a known exchange hack, fraud campaign, or law enforcement action. Contact Tether Limited compliance to determine the blacklist basis; their answer will indicate whether a criminal investigation is already underway and whether victim restitution proceedings have been initiated. Flag all relay chain addresses in your monitoring systems.
| REF | SOURCE |
|---|---|
| S1 | On-chain dataset -- TRC-20 Transfers https://tronscan.org/#/address/TSDHK2dr4iAeDRTsmSMXz2kLgJdK1… Full TRC-20 transfer history via Tronscan API. Retrieved 2026-06-03. |
| S2 | On-chain dataset -- Raw Transactions https://tronscan.org/#/address/TSDHK2dr4iAeDRTsmSMXz2kLgJdK1… Full transaction log via Tronscan API. Retrieved 2026-06-03. |
| S3 | Arkham -- Address Profile https://intel.arkm.com/explorer/address/TSDHK2dr4iAeDRTsmSMX… Screenshot captured 2026-06-03. File: screenshot_arkham.png |
| S4 | Tronscan -- Address Profile https://tronscan.org/#/address/TSDHK2dr4iAeDRTsmSMXz2kLgJdK1… Screenshot captured 2026-06-03. File: screenshot_tronscan.png |
| S5 | Oklink -- Address Profile https://www.oklink.com/tron/address/TSDHK2dr4iAeDRTsmSMXz2kL… Screenshot captured 2026-06-03. File: screenshot_oklink.png |
| TERM | DEFINITION |
|---|---|
| Tether Blacklist | A contract-level freeze applied by Tether Limited using the TRC-20/ERC-20 admin key, rendering a designated address permanently unable to transfer USDT; applied upon confirmation of illicit origin or via law enforcement directive. |
| Transit Swap | A TRON-ecosystem DeFi aggregator enabling token swaps across multiple liquidity pools; historical interaction with this service is noted in OKLink address metadata. |
| Two-Hop Relay | A fund movement pattern in which proceeds pass through two intermediate wallets before reaching a terminus, creating layering obfuscation between the originating source and the final destination. |
| Terminus Wallet | The final destination address in a fund movement chain, from which no further outbound transfers occur; in this case, the terminus is frozen and the operator cannot transact. |