KALLISTI BLOCKCHAIN FORENSICS
TRX-native (primary holding is TRX; zero USDT activity)
---
Target Wallet Address
TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t
Report Date: 2026-06-05 · Prepared by Kallisti Blockchain Forensics
Wallet Identity · Financial Overview · Holdings · Activity Patterns · Account Structure
| Entity | TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t |
| Blockchain | TRON mainnet · TRX-native wallet |
| Account Age | 186 days (0.51 years) ‖ Active: 2021-08-04 18:21:54 UTC → 2022-02-07 06:44:33 UTC |
| TRX Balance | 18.8674 TRX |
| Transactions | 109 total · 31 TRX transfers (18 in · 13 out) · 23 counterparties |
| Total TRX In | 1,770.0001 TRX |
| Total TRX Out | 1,630.0000 TRX |
| Net Balance | 140.0001 TRX |
This wallet is classified as a sanctions-proximate relay node — a mid-chain address that both receives from and dispatches to OKLink-confirmed Sanction addresses at the Hop1 level. Unlike TD2BiYkihphjrK35YQy1QGxGotSo86vVnk (which contacts sanctioned endpoints only through a one-hop hub), TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t directly transacts with two OKLink-confirmed Sanction addresses — the highest risk exposure profile in this network batch.
Inbound amounts show a dominant position by unattributed TYkdG6k1987mkfU5ZzYf9ZK3xi989jNMPJ (820 TRX, 46.3%) followed by round-figure allocations (600, 200, 150 TRX). Outbound distribution is also round-figure: 500 / 450 / 330 / 150 / 100 TRX — deliberate, structured allocation consistent with proportional network distribution. The round-figure pattern throughout inbound and outbound is inconsistent with organic retail spending and consistent with programmatic or manually-scripted allocation.
Account retains 18.87 TRX residual — low but slightly higher than TD2BiY's 4.48 TRX, suggesting less aggressive draining. No staking or energy delegation; bandwidth-based transfers confirm gas-layer operation. The shared counterparty TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh (30.7% outbound) connects this wallet directly to the same $303M hub used by TD2BiYkihphjrK35YQy1QGxGotSo86vVnk; TBABUdx8fCNxsUCX51jXxtyci7mYY882B5 (33.9% inbound) appears in TD2BiY's Hop1 network — confirming shared infrastructure. Bidirectional sanctions contact: received 200 TRX from TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9 (OKLink Sanction, $131M USDT held); dispatched 450 TRX to TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81 (OKLink Sanction, $213M USDT held).
Active 186 days (2021-08-04 to 2022-02-07), dormant for 28+ months. DOW distribution shows extreme Wednesday concentration: 13 of 31 events (41.9%), far exceeding all other days — Saturday second at 12.9%, all other days at 6.5% or below; Sunday third at 19.4%. Hourly analysis (31 events) identifies a dominant peak at 18:00 UTC (12 events, 38.7%), with secondary peaks at 06:00 UTC (4, 12.9%) and 14:00 UTC (4, 12.9%), and a late burst at 19:00 UTC (3, 9.7%). Near-zero hours: 00:00–05:00 UTC and 20:00–24:00 UTC. The Wednesday+18:00 UTC double concentration is consistent with a weekly scheduled batch cycle — potentially a settlement or allocation event. Mapping 18:00 UTC to candidate timezones: Central European summer time (UTC+2) = 20:00 (evening); Moscow (UTC+3) = 21:00; Tehran IRST (UTC+3:30) = 21:30; UAE (UTC+4) = 22:00. All are consistent with the Iran/Gulf/CIS timezone band hypothesised for the broader network; the evening local-time scheduling may reflect after-hours operation. Small sample (31 events) limits statistical confidence; the Wednesday/18:00 concentration is structurally significant but should be treated as directional.
The extreme Wednesday concentration (41.9% of all events on a single day of week) and the dominant 18:00 UTC peak (38.7% of all hourly activity) are strongly consistent with scheduled or semi-automated operation — a script or operator executing a weekly allocation routine at a fixed time and day. The secondary 06:00 and 14:00 UTC peaks may reflect additional operational windows or a different operator sharing wallet access. Assessed as semi-automated with a likely weekly Wednesday scheduling cycle.
| S1 | Tronscan — On-chain dataset · tronscan.org/#/address/TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t |
| S2 | OKLink — TRON Address Detail · www.oklink.com/tron/address/TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq8… |
Counterparty Map · Inflow Architecture · Outflow Architecture
Upstream · Top 5 Funders
| ID | Address | Volume in | Attribution | Risk |
|---|---|---|---|---|
| A1 | TYkdG6k1987mkfU5ZzYf9ZK3xi989jNMPJ | 820.0000 TRX | Unattributed | MEDIUM |
| A2 | TBABUdx8fCNxsUCX51jXxtyci7mYY882B5 | 600.0000 TRX | Unattributed | MEDIUM |
| A3 | TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9 | 200.0000 TRX | Sanction | HIGH |
| A4 | TGzGetNjyDNv4ByMaLwPqG3U8tskNwQsbL | 150.0000 TRX | Unattributed | MEDIUM |
| A5 | TCTmAH4HLxEzmbjczej8NYgptNtwsyZ9Ke | 0.0000 TRX | Unattributed | MEDIUM |
Downstream · Top 5 Destinations
| ID | Address | Volume out | Attribution | Risk |
|---|---|---|---|---|
| B1 | TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh | 500.0000 TRX | Unattributed | MEDIUM |
| B2 | TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81 | 450.0000 TRX | Sanction | MEDIUM |
| B3 | TQ1EfFSbDcsqaMVGKrzj6H1TmC34M447Cz | 330.0000 TRX | Unattributed | MEDIUM |
| B4 | THSbR9t1kTcdjeNBC4Dxjg9AvexWpcYngz | 150.0000 TRX | Unattributed | MEDIUM |
| B5 | TYkdG6k1987mkfU5ZzYf9ZK3xi989jNMPJ | 100.0000 TRX | Unattributed | MEDIUM |
Account Structure · Protocol Interactions · Threat Exposure
| Address Type | TRON EOA (Externally Owned Account) |
| Script Encoding | P2PKH-equivalent — TRON base58check |
| UTXO Count | N/A — TRON account model |
| Clustering | Unattributed — no confirmed Arkham entity cluster; direct Hop1 contact with OKLink-confirmed Sanction addresses; named co-upstream funder in Iran-linked 344M USDT freeze event |
| Service Label | None — no exchange or VASP label on subject address |
| VASP Exposure | None confirmed — zero exchange-attributed counterparties on this wallet; all VASP exposure exists at the Hop2 level via the broader network |
| Wallet Software | Unknown — standard TRON account; no wallet fingerprint identified |
| Category | Status |
|---|---|
| Exchange Deposits / Withdrawals | ACTIVE |
| DeFi / Smart Contract Interaction | ACTIVE |
| Lightning Network Channels | ACTIVE |
| Ordinals / Inscriptions | ACTIVE |
| Mixing / CoinJoin Services | ACTIVE |
| Cross-Chain Bridges | ACTIVE |
| Sanctions-Listed Address Contact | ACTIVE |
| Date | Category | Source | Nominal | Outcome |
|---|---|---|---|---|
| 2021–2022 | Sanction Contact — Inbound | …rH6W2pjSr9 | Received 200 TRX directly from OKLink Sanction/Blocked address holding $131,288,800.97 USDT — confirmed direct Hop1 bidirectional contact | ESCALATED |
| 2021–2022 | Sanction Contact — Outbound | …8U3GUQZH81 | Sent 450 TRX directly to OKLink Sanction/Blocked address holding $212,922,653.48 USDT — LIFETIME direct contact; both inbound and outbound confirmed | FUNDS SENT |
| 2023-02-24 | Sanctions — Named Funder | OSINT: oofun.ai / lingyuok.com | Named co-upstream funder (~$16.5M) in 344M USDT TRON freeze event — Iran sanctions attribution per two independent OSINT sources | ESCALATED |
| 2022-02-07 | Relay Handoff — Coordinated Network | …otSo86vVnk | Final tx 06:44:33 UTC; TD2BiY activates 06:51:24 UTC same date — 6-minute 51-second relay succession confirms coordinated network deployment | ONGOING |
No address poisoning pattern identified. The 200 TRX inbound from the OKLink Sanction address is a genuine transactional relationship, not a sub-TRX or dust-level probe. The absence of mass tiny inbound amounts confirms this is not a poisoning attack scenario.
| CRITERION | FINDING | ASSESSMENT | |
| 1. Sanctions (OFAC/EU/UN) | HIGH | ||
| 2. Fraud/Scam Exposure | CLEAR | ||
| 3. Ransomware/Darknet | CLEAR | ||
| 4. Mixer/CoinJoin | CLEAR | ||
| 5. Exchange Source Verif. | LOW | ||
| 6. Structuring/Layering | HIGH | ||
| 7. Third-Party Risk | CRITICAL | ||
| 8. Address Poisoning | CLEAR |
No DeFi protocol interaction, smart-contract call, cross-chain bridge, or mixer exposure. Pure EOA-to-EOA TRX transfers. The 8 non-primary token events are spam/airdrop receipts with no operational significance. Network fingerprint is deliberately minimal.
Flagged Patterns & Significant Observations
| ID | Date | Event | Severity | Significance |
| A-01 | 2021-08-04 | Day-One Bidirectional Activity. Wallet activates with same-day inbound and outbound transfers — no settling period; immediate relay function from first block. | CRITICAL | Immediate bidirectional operation on activation day is characteristic of a pre-planned relay node, not an organic new account. |
| A-02 | 2022-02-07 | Relay Handoff — Coordinated Network Transition. Final transaction 06:44:33 UTC; co-network wallet TD2BiYkihphjrK35YQy1QGxGotSo86vVnk activates at 06:51:24 UTC — 6 minutes 51 seconds later on the same date. | CRITICAL | The 7-minute succession on the same calendar date is statistically implausible as coincidence; confirms coordinated relay handoff within a planned network succession structure. |
| A-03 | LIFETIME | Direct Sanction Address Contact — Bidirectional. Both inbound from and outbound to OKLink-confirmed Sanction addresses within the 186-day active window. | CRITICAL | Bidirectional direct contact with two confirmed Sanction addresses is the defining adverse finding; establishes this wallet as a sanctions-proximate network node rather than a peripheral participant. |
1,770 TRX received across 18 events (Aug 2021–Feb 2022) including 200 TRX directly from OKLink Sanction address TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9; 1,630 TRX disbursed across 13 events including 450 TRX directly to OKLink Sanction address TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81. The wallet contributed $18.6M (Hop2 estimate) to the $303M TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh hub. Named co-upstream funder (~$16.5M) in the 344M USDT TRON freeze event. Final transaction 2022-02-07 06:44:33 UTC — 7-minute relay handoff to TD2BiYkihphjrK35YQy1QGxGotSo86vVnk confirmed.
Hypothesis Assessment
Probabilities sum to 100%. Attribution confidence: HIGH.
If this address appears in any transaction history, counterparty network, or client due diligence context, escalate immediately to compliance and legal counsel. The direct bidirectional transactional contact with OKLink-confirmed Sanction addresses constitutes material sanctions exposure under most regulatory frameworks. SAR filing is likely required. Cease all business relationships involving this address pending legal review. This wallet represents the highest-risk address in the analysed network.
Government Records · Press Coverage · Research & Analytics · Blockchain Intelligence
Four independent OSINT signals confirm the sanctions exposure at different levels of specificity: (1) oofun.ai — names this address as a co-upstream funder in the 344M USDT freeze; (2) lingyuok.com Chinese-language analysis — quantifies this wallet's contribution at ~$16.5M; (3) OKLink — confirmed Sanction/Blocked flags on both direct Hop1 counterparties with banner warnings; (4) Relay timing — the 7-minute gap with TD2BiYkihphjrK35YQy1QGxGotSo86vVnk on 2022-02-07 is a behavioural signal not captured in any single source but consistent across the full data picture.
Priority Actions & Engagement Opportunities
| P1 | OFAC SDN Verification — Priority — Immediately verify TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9 and TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81 against the current OFAC SDN list; OKLink flags are strong but are not official SDN confirmation · Regulatory |
| P2 | SAR Filing — Mandatory Review — If this address appears in client transaction history, SAR filing is likely required in US/UK/EU jurisdictions; engage legal counsel immediately · Legal |
| P3 | Network Mapping — 344M USDT Event — Obtain full oofun.ai report and lingyuok.com analysis; map complete network of 50+ wallets identified in the sanctions event · OSINT |
| P4 | Blockchain Analytics Platform — Submit to Chainalysis/Elliptic for full USDT TRC-20 flow attribution; confirm $16.5M figure and identify additional network nodes · On-chain |
This wallet requires immediate escalation. Direct confirmed contact with OKLink-confirmed Sanction addresses holding $344M USDT collectively constitutes the most severe adverse finding in this analysis. Do not transact. File SAR if encountered in client history. Seek legal counsel for sanctions exposure assessment.
| REF | SOURCE |
|---|---|
| S1 | On-chain dataset -- TRC-20 Transfers https://tronscan.org/#/address/TZ3xL5jeBXyo8jPDvh2veBtJZCJoz… Full TRC-20 transfer history via Tronscan API. Retrieved 2026-06-05. |
| S2 | On-chain dataset -- Raw Transactions https://tronscan.org/#/address/TZ3xL5jeBXyo8jPDvh2veBtJZCJoz… Full transaction log via Tronscan API. Retrieved 2026-06-05. |
| S3 | Arkham -- Address Profile https://intel.arkm.com/explorer/address/TZ3xL5jeBXyo8jPDvh2v… Screenshot captured 2026-06-05. File: screenshot_arkham.png |
| S4 | Tronscan -- Address Profile https://tronscan.org/#/address/TZ3xL5jeBXyo8jPDvh2veBtJZCJoz… Screenshot captured 2026-06-05. File: screenshot_tronscan.png |
| S5 | Oklink -- Address Profile https://www.oklink.com/tron/address/TZ3xL5jeBXyo8jPDvh2veBtJ… Screenshot captured 2026-06-05. File: screenshot_oklink.png |
| TERM | DEFINITION |
|---|---|
| OKLink Sanction/Blocked | OKLink's highest-level risk designation, applied to TRON addresses confirmed on a sanctions list; displays a warning banner reading 'This address is reported as Sanction address. Please be aware of the risks!' with a 'Blocked' label. |
| Relay Handoff | A coordinated network transition in which one wallet ceases activity and a second wallet activates within a very short window, passing the operational role to the successor — characteristic of a planned, sequenced relay structure. |
| Hop1 Sanction Contact | A direct, first-degree transactional relationship with an address carrying a confirmed sanctions designation — the most severe counterparty risk finding possible short of the subject address itself being sanctioned. |
| USDT TRC-20 | Tether's USD-pegged stablecoin deployed on the TRON blockchain as a TRC-20 token; the primary value-transfer instrument in this network, with the TRX-layer wallets serving as gas providers. |
| 344M USDT Freeze Event | A TRON network sanctions enforcement action in which approximately 344 million USDT was frozen across multiple addresses linked to an Iran-related OFAC enforcement case. |