1. Event Background
On April 23, 2026, Tether announced its cooperation with the U.S. Department of the Treasury and law enforcement to freeze two USDT addresses on the TRON network, with a total frozen amount of approximately 344 million USDT. The next day, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) added these two addresses to the sanctions information related to the Central Bank of Iran (Bank Markazi) and noted their association with sanctioned entities such as the IRGC-Qods Force and Hezbollah. The two frozen addresses are:
• Address: TNiq9AXBp9EjUqhDhrwrfvAA8U3GUQZH81; Chain: TRON/TRC20-USDT; Frozen Amount: Approximately 212,922,653 USDT; Current Public Designation: OFAC marked as related to the Central Bank of Iran;
• Address: TTiDLWE6fZK8okMJv6ijg42yrH6W2pjSr9; Chain: TRON/TRC20-USDT; Frozen Amount: Approximately 131,288,800 USDT; Current Public Designation: OFAC marked as related to the Central Bank of Iran;
The reason why this event was classified by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) as "related to the Iranian government" is not based on a single on-chain transaction but on multiple considerations:
First, OFAC directly included the two addresses in the relevant Central Bank of Iran sanctions entry;
Second, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and on-chain analytics firms believe that these addresses have transactional paths with Iranian exchanges, Central Bank of Iran-related wallets, and intermediary addresses;
Third, the two addresses have a long history of receiving large amounts of USDT, infrequent withdrawals, long periods of inactivity, and behavior more characteristic of institutional reserves or a liquidity pool rather than a typical user wallet.
However, it is important to note that OFAC's sanctions designation is a result of official legal and intelligence assessments, and on-chain data alone cannot directly prove that the private keys are held by the Iranian government or the Central Bank of Iran. In other words, what can currently be confirmed is that the "U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has determined their association with the Central Bank of Iran," but it cannot be concluded solely based on public on-chain data that "these two addresses are definitely wallets directly controlled by the Iranian government."
2. Detailed Analysis
2.1 On-chain Characteristics of the Two Frozen Addresses
From on-chain data, both addresses exhibit a clear pattern of "large inflows, low proportion outflows, long-term holding." Among them, the address TNiq9...ZH81 has a larger balance, with a total historical income of approximately $228.6 million USDT and total outflows of about $15.73 million USDT, accounting for around 6.9% of the total inflows; the frozen balance of address TTiDL...Sr9 is about $131.3 million USDT and was blacklisted from USDT on April 23, 2026, at 12:02 UTC.
This behavior does not resemble typical high-frequency money laundering intermediary addresses nor does it resemble an exchange's hot wallet. A more reasonable analysis is that both addresses may be part of a "reserve layer" or "aggregation layer" within a fund network. TRM Labs' consolidated analysis of the two addresses also suggests that they have collectively received approximately $370 million, across about 1,000 transactions, with the majority of funds accumulated by the end of 2023 and then dormant for an extended period, more akin to a "reserve wallet" rather than a day-to-day operational wallet.
2.2 Relationship Between the Two Frozen Addresses
The two addresses do not exist in isolation. Public analysis has mentioned that TTiDL...Sr9 once transferred around $8.6 million USDT to TNiq9...ZH81. This transaction indicates a direct financial relationship between the two addresses, supporting the assessment that they belong to the same financial structure or operational network.
However, this does not imply that "both are definitely directly controlled by the Central Bank of Iran." A more accurate statement would be: the $8.6 million USDT transfer demonstrates a financial coordination relationship between the two, but it does not prove the real-world private key holder and does not rule out the possibility of third-party brokers, OTC desks, custodians, or clearinghouses acting on their behalf.
2.3 Upstream Transaction Address Analysis
Based on public graphs and initial analysis, several significant upstream addresses include:
• Address: TD2BiYkihphjrK35YQy1QGxGotSo86vVnk; Role Assessment: Main upstream Funder; Relationship with the frozen addresses: Around the 29M / 30M level fund source; Conclusion: Likely an upstream fund pool, broker, or custodial address;
• Address: TZ3xL5jeBXyo8jPDvh2veBtJZCJozHq81t; Role Assessment: Main upstream Funder; Relationship with the frozen addresses: Around the 16.5M level fund source; Conclusion: Shares a common fund path annotation with Funder-001;
•Address: TYkdG6k1987mkfU5ZzYf9ZK3xi989jNMPJ; Role Assessment: Subordinate Funder; Relationship with Frozen Address: Small amount; Conclusion: Significance in having auxiliary proof of common fund structure;
•Address: TGzGetNjyDNv4ByMaLwPqG3U8tskNwQsbL; Role Assessment: Subordinate Funder; Relationship with Frozen Address: Small amount; Conclusion: More like an edge or test-oriented upstream address;
•Address: TCXfhTDMuS6pbfCEoACPcBf2EnnhMAAEWh; Role Assessment: Key Transfer Hub; Relationship with Frozen Address: Approximately 274.6 million USDT comprehensive flow; Conclusion: More like a settlement/transfer node;
Among them, the significance of Funder-001 and Funder-002 is the greatest. They are not retail fragmented receipts but larger amounts that enter the same fund structure in a more centralized manner, indicating that the frozen address may be connected to institutional-level funding sources, OTC brokers, multi-address custody, or clearing networks. Funder-001, Funder-002 cannot simply be referred to as "Iranian government address"; a more precise statement would be "suspected upstream large fund source address, possibly representing the supply side of the Iranian-related funding network or broker side."
Furthermore, the key Hub TCXfh...AEWh is worth noting. This address is described as a large fund channel node, processing approximately 274.6 million USDT comprehensive flow, with a balance close to 0, showing a "pass-through but not long-term holding" transfer characteristic. This indicates that the entire fund structure may not be a simple "Iranian central bank cold wallet" but more like:
Upstream funding source/broker → Aggregation wallet → Operations wallet → Settlement Hub → Exchange, cross-chain bridge, DeFi, or other settlement paths
This structure is more in line with a hybrid network of "nation-related funds + third-party financial infrastructure + exchange edge accounts" rather than a single government wallet model.
At the same time, according to data from the U.S. Department of the Treasury's official website, there are a total of 9 Iranian-related TRON cryptocurrency addresses clearly marked on the SDN list. Based on this, this analysis constructed a sanctions address reference library including 7 known entities, such as the ZEDCEX exchange, and rigorously compared the 45 valid counterparties of this sanctioned dual address (TARGET associated with 17, TNiq9 associated with 28):
In the "first-hop" verification against direct counterparties, the data shows that apart from internal fund transfers between TARGET and TNiq9, neither party has had direct interaction with any Iranian addresses in the reference library.
In the "Second Hop" (Hop-2) tracing test aimed at investigating covert relationships, the scope of the investigation was further expanded to cover all direct counterparties' upstream and downstream transactions. On-chain tracing results show that all involved upstream fund hubs (such as TCXfh...) and downstream destinations did not reveal any fund transfers to known Iranian-sanctioned addresses within the two-hop range.
2.4 Currently Unable to Conclusively Prove Direct Iranian Government Control of Addresses
Overall, based on publicly available information, the following conclusions can be supported:
First, two addresses have been officially marked by OFAC as related to the Central Bank of Iran;
Second, the on-chain behavior of the two addresses exhibits characteristics of a large reserve-type fund pool;
Third, the two addresses have financial links with multiple upstream funders, key transfer hubs, exchange edge addresses;
Fourth, a direct transfer of 8.6 million USDT exists between the two addresses.
However, there are still significant gaps in publicly available information: no disclosure of complete investigative materials, no public proof of the private key holder, no evidence that the upstream funder address is the Iranian government's address, and no exclusion of the potential involvement of third-party brokers, OTC, custodians, exchange edge accounts, or mixed settlement networks.
The behavior of these two addresses does not resemble a typical IRGC wallet; they exhibit mixed exposure with trading infrastructures such as Bitfinex, HTX, Huione, and have been mentioned to overlap with scam-related flows. These factors undermine the simple narrative of "this is a clean, closed, Iranian government reserve address only."
Therefore, this report suggests a more cautious description:
These two addresses can be described as "OFAC-designated Central Bank of Iran-related addresses" or "large reserve/collection addresses in a suspected Iran-related fund network," but should not be directly referred to as "wallet addresses confirmed to be directly controlled by the Iranian government."
3. Impact Analysis
3.1 Impact on Stablecoins
This event once again illustrates that centralized stablecoins like USDT are not entirely immune to censorship resistance. Although USDT operates on a public chain, the issuer can still blacklist and freeze specific addresses at the smart contract level. Therefore, USDT is more accurately described as a combination of an "on-chain USD-backed token + issuer compliance control" rather than completely unfreezable on-chain cash.
This will have a dual impact: on one hand, compliance agencies and regulatory bodies will further recognize the regulatory compliance of stablecoins; on the other hand, users emphasizing decentralization and censorship resistance will reevaluate the freeze risk of centralized stablecoins.
3.2 Impact on Public Blockchain Ecosystem
Both frozen addresses are located on the TRON network, indicating that TRON, as a low-fee, high-liquidity USDT transfer network, has become a focal point for on-chain regulation and enforcement. In the future, regulation will not only focus on the public chain itself, but will pay more attention to stablecoin issuers, exchanges, OTC desks, cross-chain bridges, wallet service providers, on-chain data providers, and fiat on/off ramps.
This means that, although public blockchains remain neutral in technology, the assets, entrances, exits, and service providers on them will be subject to real-world regulation and geopolitical influences.
3.3 Impact on On-Chain Risk Control and Compliance Industry
This event demonstrates that simply checking "whether it hits the blacklist" is no longer sufficient. Effective risk control requires a combination of address profiling, fund flow analysis, multi-hop risk, exchange labels, OTC clusters, stablecoin freeze status, and address behavior patterns.
In the future, on-chain compliance systems will need to answer not only "Is this address on the OFAC list?" but also:
How many hops away is this address from high-risk addresses?
Has it interacted with sanctioned entities, exchange deposit addresses, cross-chain bridges, or gray OTC?
Are there any abnormal patterns such as large deposits, low-frequency withdrawals, long periods of inactivity, or sudden transfers?
Therefore, address profiling, fund flow tracking, multi-hop risk scoring, and stablecoin freeze monitoring will become core capabilities of Web3 risk control products.
3.4 Impact on Regulatory Framework
Traditional sanctions mainly rely on banks, SWIFT, clearing houses, and financial institutions for enforcement, but this event indicates that stablecoin issuers are becoming part of the sanction enforcement chain. A new on-chain regulatory model may emerge in the future:
OFAC Sanctions List + On-Chain Analytics Firms + Stablecoin Issuers + Exchanges + Wallet Service Providers
This mechanism is more immediate than the traditional banking system because on-chain data is public, traceable, and can be automatically monitored. However, it also brings issues such as false positives, black box attribution, and inadequate appeals mechanisms.
3.5 Impact on Ordinary Users and Enterprises
For the average user, controlling the private key does not equal absolute asset security. For centralized stablecoins like USDT and USDC, even if the private key is not compromised, the tokens may still be frozen at the smart contract level due to compliance reasons.
For enterprises, accepting USDT payments should not only focus on "whether the funds have arrived," but also consider whether the source of the funds is clean. If the payment comes from a sanctioned address, scam address, hacker address, or high-risk OTC, there may be subsequent risks such as exchanges refusing deposits, account risk control, fund freezes, and compliance investigations.
Insight Report Source: Global Cyber Security Alliance
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
