Minus $ 344 Million: The Story Behind One of Tether’s Largest-Ever Freezes

On April 23, 2026, Tether — the company behind the world's most capitalized stablecoin, USDT — froze $344.2 million in USDT across two addresses on the TRON network:

This was one of the largest single-event stablecoin freezes of 2026. According to BitOK analysts, the addresses were linked to fraud operations, including the laundering of stolen crypto.

Tether has not disclosed the owners of the addresses. Notably, neither wallet appears on the SDN (Specially Designated Nationals) list — the registry of sanctioned individuals and entities maintained by OFAC, the U.S. Treasury Department’s Office of Foreign Assets Control.

Blockchain forensics by BitOK investigators revealed that the frozen wallets served as cold storage for an entire settlement hub that facilitated pig butchering scams (a type of investment fraud where victims are groomed into trusting relationships and then lured into depositing funds on fake trading platforms), sanctioned platforms, and underground cash-out operations.

A cluster of 10 addresses processed $ 1.78 billion in USDT between 2021 and 2023, with the total throughput of the broader fraud ecosystem approaching $ 3 billion. Of that amount, roughly $ 657 million represents net external inflows ($ 640 million through four aggregators and ~$ 17 million in direct large deposits from trusted clients into hot wallets), $ 740 million was internal transfers between cluster nodes (hot wallet rotation and cold storage movements), $ 313 million was routed outward through transit intermediaries, and $ 344 million settled in two cold storage wallets — now frozen by Tether. The math checks out: $ 657 million in = $ 313 million out + $ 344 million frozen.

Transaction flows linked to the two frozen addresses. Infographic generated using BitOK Graph.

What got frozen wasn't just two standalone wallets — it was the final link in a carefully engineered infrastructure. The 10-address cluster was built on the classic architecture of an underground OTC desk (an over-the-counter intermediary that deals with clients directly, bypassing public exchanges), organized into three tiers.

These wallets accepted funds from external clients. Together, they processed $640 million in net deposits. The largest, TRQyU5aU1A, handled $325 million during a single year of operation from February 2022 to March 2023.

These are wallets kept constantly online for real-time transaction processing. Four hot wallets cycled through the operation in strict sequence: each new one came online on the exact day the previous one shut down. This kind of rotation is a hallmark of sanctioned OTC desks, designed to reduce the risk of detection and asset freezes. The largest hot wallet, TD2BiYkih, processed $ 380 million.

These were long-term storage addresses, disconnected from active operations — and the ones Tether ultimately froze.

TNiq9AXBp9 received $ 228 million, of which $ 212.9 million was frozen; TTiDLWE6 received $ 140 million, with $ 131.3 million frozen. Funds deposited to these addresses simply sat there and never moved.

A direct link between the two cold wallets is confirmed by a January 7, 2022 transaction: $ 8.6 million was sent directly from TTiDLWE6 to TNiq9 (tx 7ff5a0c5…).

The counterparty profile reveals the operation's scope and geographic reach.

By tracing the wallet chain, investigators found connections between the cluster and the Xinbi, Huione Guarantee, and Huione Pay platforms. A portion of the frozen funds is believed to be linked to scam compounds in Cambodia that ran pig butchering operations.

Worth noting: Pig butchering is exceptionally prevalent in Cambodia due to a combination of factors: rampant corruption, the existence of sealed-off economic zones, and ready-made infrastructure in vacant buildings controlled by international criminal syndicates. In 2024, BBC analysts concluded that the scale of pig butchering had reached roughly half of Cambodia's GDP.

The smoking gun is $392.7 million that flowed through Cambodia-based Huione Pay. In 2025, FinCEN designated it as a key money laundering node for Southeast Asian scam operations, while its affiliated marketplace, Huione Guarantee, has been facilitating criminal transactions since at least 2022.

The link was established through multi-hop tracing (more details in the section on the Russian
connection). In April 2024, a federal court in Atlanta filed charges in the Huione International Pay case.

Beyond Huione Pay, the exposure chains revealed over 30 unique pig butchering scam projects:

BitOK analysts concluded that the cluster systematically serviced dozens of separate fraud operations.

That said, the original source of the funds that ended up in cold storage remains unidentified. Blockchain tracing can show where money went and which services it passed through, but it cannot definitively pinpoint the ultimate origin — especially when the cluster runs dozens of intermediary hops deep and employs extensive fund-mixing techniques.

Investigator's note: This freeze may be part of an ongoing U.S. pressure campaign targeting the broader ecosystem of Cambodian scam compounds and Chinese entities that act as intermediary layers for moving and laundering funds.

$59.2 million in connections traces back to Garantex, a Russian-linked exchange that has been under OFAC sanctions since April 2022 and under criminal indictment by the U.S. Department of Justice since March 2025. The cluster's overall counterparty profile shows a strong Russian-speaking segment.

An anomalously high share of inbound flows — 16–26% at the cluster's main nodes — came from MaskEX.com, a UAE-based exchange with a sizable Russian-speaking user base. On the outbound side, however, MaskEX accounted for only 0.01–1%.

Key finding: BitOK analysts concluded that MaskEX.com served as the primary USDT on-ramp: clients purchased stablecoins on MaskEX and funneled them into the OTC desk — they did not withdraw to it. This is a textbook procurement pattern. The sell-off side was handled through Huione Pay and exchanges.

Overall, the cluster's exchange profile is typical of a large-scale underground OTC operation:

A cross-check of all 24 key network nodes (10 core + 5 partners + 9 transit) for direct transfers involving 571 known flagged addresses — Huione Pay, MaskEX, Garantex, Tether blacklists, scam platforms, and others — returned just one hit: partner TPRUTj98 received $453,000 from a single Huione Pay address between October 2023 and January 2024, after the main cluster had already wound down. All other links — Huione Pay ($392.7M), Garantex ($59.2M), MaskEX, and dozens of blacklisted clusters — are 100% indirect.

The average chain depth from the cold wallets to Garantex was 8.5–8.8 hops; to Huione Pay, it was 10.3 hops. The longest chains stretched to 25–28 intermediaries. This is the hallmark of a professional OTC desk: between the core infrastructure and any high-profile service sits a chain of 5–10 short-lived transit wallets, rotated every 3–6 months. Small-time operators don't operate this way — this level of discipline is typical of large sanctioned actors with in-house compliance teams.

The cluster's first address — cold wallet TNiq9AXBp9 — was created on March 4, 2021. By that summer, the first three hot wallets were up and running. The system reached full operational capacity by early 2022. During this period:

The peak month was January 2023: $124 million flowed into TNiq9. But the wind-down started as early as February. On February 24, 2023, the last major transfers took place: $30 million went to cold wallet TTiDLWE6, and TNiq9 received a final $153,000.

Then came a rapid shutdown. On March 14, 2023, the largest aggregator, TRQyU5aU1A ($325M), went dark. Notably, the very next day — March 15 — the Frankfurt Prosecutor's Office, working alongside Europol, carried out an operation against the ChipMixer tumbler, which the fraudsters likely used. On March 23, the primary hot wallet TD2BiYkih ($381M) went offline. By May 2023, the last aggregator had ceased operations.

*The timing overlap between the cluster's shutdown and the ChipMixer takedown is a very strong signal. It suggests the operators either knew about the coming crackdown or were directly affected by it.

From May 2023 to April 2026 — three years of silence. The only activity on the cluster's addresses was so-called "address poisoning": attackers created lookalike addresses matching the first and last characters of the real ones, then sent tiny amounts (1–10 USDT) to the genuine addresses. The goal was to trick the operator into accidentally copying a fake address from the transaction history and sending a large transfer to it. At least six such pairs were confirmed. None of the attacks succeeded — the operators spotted every attempt.

The $ 313 million that left the cluster didn’t go directly to exchanges. Instead, it flowed into nine transit nodes that handled over 83% of all external outflows.

These nodes redirected funds further — primarily into the Huione Pay ecosystem. One address stands out: TRJvQFUWwSmnk5rgM8m4HgE6Csj2qPEupX, which collected $ 217 million (including $ 40 million from our cluster), sent 92.7% of its outbound flow to Huione Pay, and remained active until November 2025 — a full 2.5 years after the main cluster shut down.

The final wave of outflows in April-May 2023 — $ 107 million to three addresses from the last active aggregator, TEqbDjaQp2 — wasn’t a distribution to clients. It was a capital transfer to new infrastructure.

The 10-address cluster didn’t operate in isolation. It functioned as a settlement hub for five or more large OTC partners with similar profiles.

All partners share a similar exposure profile: Huione Pay at 9–24%, Garantex at 1–3%. But unlike the core cluster, they continued operating into 2024–2025 — once the central hub shut down, flows were redistributed across other channels. The total ecosystem throughput approaches $3 billion in USDT.

Investigator's note: Increasingly, Tether freezes are targeting not individual scammers but payment and settlement hubs that processed massive volumes of funds.

The short answer: bureaucracy. The funds in cold storage hadn't moved since February 2023.

The freeze appears to be the result of a multi-jurisdictional investigation. The circumstantial evidence points to a joint effort by German and international investigators, culminating in a formal request to Tether to block the funds.

The $344 million freeze is not an isolated event. Since 2025, U.S. law enforcement and international regulators have been waging a large-scale campaign to dismantle the crypto infrastructure that enables fraud. Among other actions, this campaign has also resulted in the freeze of Garantex's assets.