There could be several reasons behind this behavior. It’s quite possible that we’re dealing with an unidentified cryptocurrency service, where intermediary addresses potentially function as deposit points. Nevertheless, not all transactions from cryptocurrency exchanges find their way through intermediary addresses before reaching
TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy; there are direct transfers as well.
We also can’t rule out the possibility that these intermediary addresses are intentionally set up by the sender of funds. The execution of minor transactions through intermediary addresses could potentially confound blockchain analytics algorithms utilized by cryptocurrency services, as they only establish an indirect link to
TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy.
It’s worth noting that roughly 15% of the incoming funds come from Iranian exchanges, which are subject to sanctions in most countries. Such funds can’t easily be deposited into major exchanges, as advanced blockchain analytics systems would quickly flag these transactions as high-risk.
Hence, the possessor of the address employs 'clean' funds acquired from prominent cryptocurrency exchanges. This strategy enables them to blend these resources with other assets, thereby diluting the percentage of high-risk assets in circulation. Consequently, approximately 85% of the funds in the balance of the address
TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy were obtained from prominent platforms like Binance, Huobi, OKX, and others.
However, funds from this wallet are not immediately funneled to exchanges; they are instead aggregated at two main addresses:
It’s crucial to underscore once again: even though the address
TPH78JPrRRDn9y3uCCW23PNYzJutpL3AKc isn’t mentioned in
ASO 34/23, it operates as a central point for aggregating funds received from the address
TK8qQuPSCeQx6AKuqHLX4xycSVFNXGVWQy.
Furthermore, approximately 35% of the funds are directed to the address
TJXs786aim9pbYmBsYzibx4obAtiMTNyon, which is also not mentioned in either
ASO 34/23 or
ASO 29/23. Funds from this address are subsequently routed to
TN6tJv6hmzDxQSLfAgdJBqXudJWCTusen1, which further channels them to the address of unidentified service (
TBM9rsth7dYNvrE9Yq9CsZQTTiea2njjPW).
The remaining 65% of the funds from these addresses are either directly or indirectly routed to major cryptocurrency exchanges.
This mixing strategy effectively ensures that the proportion of funds from Iranian exchanges within the overall risk profile does not surpass 1% for
TUtw7GQJssJ6WtBE1J2xKks7VimKP8m587 and 7% for
TPH78JPrRRDn9y3uCCW23PNYzJutpL3AKc.
The progression of this process subsequently moves towards redirecting these funds to various cryptocurrency services. This is undertaken to confound blockchain analytics algorithms, diminish associations with Hezbollah and the Iranian Quds Force, while also creating the facade of legitimate transactions. As a result, around 90% of the funds are channeled to the most prominent cryptocurrency exchanges. A portion of these funds is then redirected back to Iranian exchanges. To visually depict this process, we have crafted a dedicated illustration (Fig. 14).