INVESTIGATIONS

        
        Live investigation · TRON · USDT laundering
      

$812M, One Ghost Wallet, Three Exchanges — Nobody Flagged It

A Flash USDT Telegram channel led investigators to a 2-of-3 multisig TRON wallet that processed $812M in 15 months with a 0.006% net retention rate. The funds aggregated from 69,591 victim wallets, relayed through purpose-built automated infrastructure, and exited to named KYC-linked deposit addresses at OKX, Kraken, and Binance. Every hop is on-chain. Every exchange had the data.

By Bitquery Research /Blockchain Intelligence /On-chain figures verified June 2026 /15 min read

At a glance

A Flash USDT Telegram channel (@ARCHY_USDT, 37,864 subscribers) posted a confirmed $100,000 USDT transaction as fraud proof. That transaction originated from TEkddeyN — a 2-of-3 multisig relay wallet that processed $812.3M inbound and $807.2M outbound in 15 months, retaining just $5.1M (0.006%). The wallet aggregates funds from 69,591 victim wallets through a mule aggregator, then splits outflow to a mass disburser (8,043 end recipients) and a relay ring that exits to OKX ($5.67B), Kraken ($5.36B), and Binance ($4.14B) deposit addresses — all KYC-linked, all active. The circuit has been operational since early 2025. 33 tamper wallets and a just-in-time energy delegation system keep it running without leaving a staking footprint.

$812.3M

TEkddeyN lifetime volume

0.006%

Net retention rate

69,591

Victim wallets feeding the circuit

8,043

End recipients via mass disburser

$15.17B

Confirmed to 3 exchange deposits

33+

Tamper wallets in operational layer

SECTION 01

The failure first

Three global exchanges received billions from a wallet whose behaviour should have stopped them cold.

That is the conclusion we reached, and we want to state it before we show our work. Across this investigation we kept arriving at the same place: OKX, Kraken, and Binance each hold KYC-linked deposit addresses that received billions of dollars from THCuQ27 — a relay wallet with a 3.4-year operating history of receiving large USDT batches and immediately forwarding them, retaining $573,000 net on $21.44 billion moved.

The clearest example is TBtHBd5ZGVW3MjdsEHszrKucaJ7NzkfUc6. Arkham Intelligence identifies it as an OKX deposit address. In the 90-day window we profiled, it received $5.67B across 2,309 transactions from THCuQ27. Its most recent inbound transfers — $1.5M, $3.2M, and $4.95M — arrived nine hours before we finalised this report. The account is live. OKX has the KYC file.

Address	Exchange	Received	Txns	Last seen
TBtHBd5ZGVW3MjdsEHszrKucaJ7NzkfUc6	OKX Deposit^A	$5.67B	2,309	Active 9h ago
TDL5Essu6rG9TzHF3BiqnEHcgkgNsc1hEZ	Kraken Deposit^A	$5.36B	2,044	Active 4 days ago
TPthiuuwnMTrqYkNSghbBMUkVJGe2ChZwS	Binance Deposit^A	$4.14B	341	Active 14h ago

^A Exchange labels from Arkham Intelligence and OKLink — third-party attribution, not exchange-confirmed.

Key finding

$15.17B in confirmed deposits to three regulated exchanges — from a relay wallet whose on-chain profile is the textbook definition of a layering node. Net retained: $573,000.

SECTION 02

Where it started

A Telegram scam channel. A pinned transaction. A public ledger.

We did not start with the exchanges. We started with a single Telegram channel.

FLASH USDT BTC CRYPTO — 37,864 subscribers, contact handle @ARCHY_USDT — had a pinned message: “Transaction success. 100,000 USDT. Confirmed onchain.” Alongside it, a Tronscan link. Standard Flash USDT social proof: post a real blockchain transaction, imply you sent it, collect upfront fees from victims who believe you can send spendable USDT.

Two transactions appeared in the channel’s history. The first — 6da039bd…567ec, 15,000 USDT, 6 June 2026 — involved wallets unconnected to our circuit. Scraped from a public explorer, consistent with standard Flash USDT practice. The second was different.

Hash:   402686127a620f59b91fae52d65b2743e522602d1d9dc0ce3691f284f3bf3b6e
From:   TEkddeyNsrKKzAX48MMzCrHHXLCbCHW619  ← TARGET WALLET (2-of-3 multisig)
To:     TDDfqHFh1JtKXq7pQV1qCx2bH8Q96vMBgL  ← mass disburser
Amount: 100,000 USDT
Block:  83,227,246 · 1 Jun 2026 21:49:54 UTC · CONFIRMED
Signers: TEkddeyN + TQQhN3ECLLYdjHCUkS8d2UK5x3fZvdq3FR (2 of 3)
Energy:  64,285 units — delegated, not owned

Transaction 402686127a… was posted in the channel approximately five days after it confirmed on-chain on 1 June 2026. The timing matters: a five-day gap is consistent with a scam operator recycling public blockchain data rather than having real-time control of TEkddeyN. We state that clearly. The Telegram-to-wallet link is circumstantial. What is not circumstantial is what TEkddeyN is, and what it connects to.

SECTION 03

The target wallet

TEkddeyN — a 2-of-3 multisig relay processing $812M in 15 months with 0.006% net retention.

TEkddeyNsrKKzAX48MMzCrHHXLCbCHW619 has been active since March 2025. In 15 months it processed $812.3M inbound and $807.2M outbound, retaining $5.1M net — a retention rate of 0.006%. It is not holding funds. It is moving them.

First, it is a 2-of-3 multisig wallet. Every outbound transaction requires two of three keyholders to sign. The $100K Telegram transaction was co-signed by TEkddeyN itself and TQQhN3ECLLYdjHCUkS8d2UK5x3fZvdq3FR. A third keyholder — TLRr4rA6opQ2h9csW5dH3X6BxmGw2rkuH6 — has not been profiled. Multisig at this scale is institutional-grade key management, not retail behaviour.

Second, TEkddeyN does not pay for its own operations. Every USDT transfer is preceded by an energy delegation from dedicated infrastructure wallets and followed immediately by energy reclaim. TEkddeyN borrows 64,285 energy units per transfer, uses them, and returns them — a just-in-time rental model that leaves the wallet with no staking footprint and reduces its detectability.

$812.3M

Lifetime inbound

$807.2M

Lifetime outbound

0.006%

Net retention rate

15 mo

Active (Mar 2025–Jun 2026)

2-of-3

Multisig threshold

33+

Tamper wallets in maintenance layer

Supporting TEkddeyN is a network of 33 confirmed TRX dust-sending wallets — pure operational bots with zero USDT activity, each sending sub-cent TRX pings to maintain bandwidth. Their funding traces to at least three master distribution wallets, the most notable being TGGJqVx6jV12119u6JLGmGzxf166666666 — a vanity address ending in nine sixes, with 221,413 outbound transactions and only 132 inbound refill transactions. Those 132 refills are the closest available trail to the network’s ultimate controller.

SECTION 04

The machine

Five layers, seven nodes, a mule aggregator collecting from 69,591 wallets — and a relay ring exiting to three regulated exchanges.

TEkddeyN is not the top of this circuit. It is the third layer. The full structure runs five layers deep.

Figure 1

The full circuit — L0 to exchange exit

Seven confirmed USDT-layer nodes across five structural layers. Flow volumes shown per edge. Exchange labels via Arkham Intelligence.

Exchange labels (OKX, Kraken, Binance) sourced from Arkham Intelligence — third-party attribution, not exchange-confirmed. Flow volumes on forward edges reflect the 90-day profiling window; lifetime volumes shown in node labels.

Layer	Wallet	Role	Lifetime	Characteristics
L0	TWUByRE…	Dedicated feeder	$59.4M	Sends exclusively to TWhC1Fv
L0	TJbLini…	Dedicated feeder	$13.3M	Sends exclusively to TWhC1Fv
L1	TWhC1Fv…	Mule aggregator	$799.8M	71,542 txns from 69,591 wallets · avg $2,013 in · avg $897K out · 2 recipients
L2	TEkddeyN…	Target relay	$812.3M	2-of-3 multisig · 6 senders · 23 recipients · Mar 2025–present
L3	TDDfqH…	Mass disburser	$442.4M	40,782 txns to 8,043 recipients · avg $2,456
L4	THCuQ27…	Relay	$21.44B	Jan 2023–present · 33 exit wallets · top 3 are OKX, Kraken, Binance
L5	OKX / Kraken / Binance	KYC-linked exits	$15.17B	Named account holders · active within 24h of this report

The structure at L1 is the most operationally significant. TWhC1Fv collects from 69,591 distinct wallets at an average of $2,013 per transaction, then sweeps consolidated batches of approximately $897K to TEkddeyN. This is not one sender moving money — it is a mass aggregation of small inflows into large outflows, the on-chain signature of a mule network collecting fraud proceeds at scale.

Figure 2

The mule aggregator — consolidation signal

TWhC1Fv collects from 69,591 distinct wallets at $2,013 average, then sweeps consolidated batches of $897K to TEkddeyN. The gap between average inbound and average outbound is the on-chain signature of a mule network.

69,591

distinct inbound wallets

avg $2,013

per transaction

71,542
txns in

TWUByRE feeder

$59.4M lifetime

single recipient only

TJbLini feeder

$13.3M lifetime

single recipient only

TWhC1Fv — Mule aggregator

TWhC1FvBoycGpu2bf5MSuGYva9oWcUD87A

$799.8M

lifetime volume

outbound recipients

$897K

avg outbound sweep

The consolidation signal: average inbound $2,013 from 69,591 wallets → average outbound $897,000 to 2 recipients. A 445× amplification ratio. This is not commerce — it is aggregation of fraud proceeds at scale.

67%

→ TDDfqH (mass disburser)

TDDfqHFh1JtKXq7pQV1qCx2bH8Q96vMBgL

$87.9M in 90 days

40,782 txns → 8,043 end recipients

31%

→ THCuQ27 relay (exchange exits)

THCuQ27bSmD3ohTShjpnr1hDjp1bHNpS8o

$40.8M in 90 days

→ OKX / Kraken / Binance

Inbound figures reflect the 90-day profiling window. Lifetime volume $799.8M. Both outbound recipients confirmed across the full lifetime dataset.

The signal

The gap between the average inbound ticket ($2,013) and the average outbound sweep ($897,000) at TWhC1Fv is the signal: 69,591 small inflows consolidated into 160 large sweeps, nothing retained.

How the relay ring works

THCuQ27 has processed $21.44B lifetime since January 2023, retaining $573,000 net. It has 33 lifetime outbound recipients, of which three are the exchange deposit addresses shown in Section 01. The remaining recipients include a $1.39B unexplored wallet (TSLyJNfq…) and a brand-new rotation address that appeared in May 2026 and received $23.4M in its first two weeks (TMcroaKFG…).

Why this matters

An investigator snapshotting the circuit at any single moment sees only the currently active destination wallets. THCuQ27 has cycled through 33 recipients across 3.4 years. Surfacing the full history requires time-windowed counterparty ranking across the complete lifetime dataset — the same data available to exchange compliance teams.

SECTION 05

The operational infrastructure

33 tamper wallets, 3 energy delegators, and a vanity address — this is automated, not manual.

What is visible in TEkddeyN’s full transaction log is not a human manually sending USDT. It is a programmatic loop running continuously:

1An energy delegation transaction fires from one of three infrastructure wallets immediately before each USDT transfer.
2The USDT transfer executes using the borrowed 64,285 energy units.
3The energy is reclaimed within the same block cluster.
4A dust TRX ping arrives from one of 33 tamper wallets to maintain bandwidth.
5The cycle repeats.

The energy delegation wallets hold staked TRX. That staked TRX came from somewhere with a traceable funding path. All 33 tamper wallets have zero USDT activity — operationally sterile by design.

Address	Role	Profile	Note
TGGJqVx6jV12119u6JLGmGzxf166666666	Primary TRX funder	221,413 out · 132 in · Nov 2024	Vanity — “666666” suffix
TB4djHQ4aBJkxc3Ext3gneZno2fFMPdyuk	Legacy funder	203,043 out · 12,549 in · May 2022	3+ yrs · funded TKqKDv at creation
TEzPZwTxL2dVqkdNQmsCyCV1t39imF73vn	Mid-tier distributor	Funded TPJKp5P at creation (Oct 2023)	Sits between funder and tamper wallets

TGGJqVx6jV12119u6JLGmGzxf166666666 has 132 inbound transactions against 221,413 outbound. Those 132 refills are the narrowest point in the funding trail — and the highest probability of finding an exchange withdrawal linked to a KYC-verified identity.

Timezone analysis

Across 105 outbound transactions from TEkddeyN, 78% of activity falls between UTC 04:00–15:00, mapping to IST 09:30–20:30. Zero transactions occur between midnight and 05:00 IST. Seven-day operation with no weekend silence indicates a dedicated full-time operation. India (UTC+5:30) is the strongest timezone fit at 96% confidence; Pakistan (+5:00) and Bangladesh (+6:00) cannot be excluded.

SECTION 06

The exit, confirmed on-chain

OKX, Kraken, Binance. Named accounts. Live deposits.

THCuQ27 has 33 lifetime outbound recipients. The top destinations:

Figure 3

THCuQ27 — where $21.44B went

33 lifetime outbound recipients. The top three are named, KYC-linked deposit addresses at regulated global exchanges. Exchange labels via Arkham Intelligence.

THCuQ27bSmD3ohTShjpnr1hDjp1bHNpS8o

Relay wallet · Jan 2023–present · 3.4 years active · net retained $573K

$21.44B

lifetime outbound

OKX

TBtHBd5Z…Uc6

Active 9h ago

26.4%

$5.67B

2,309 txns

Kraken

TDL5Essu…hEZ

Active 4d ago

25.0%

$5.36B

2,044 txns

Binance

TPthiuu…ZwS

Active 14h ago

19.3%

$4.14B

341 txns

TSLyJNfq

…arjmked9v

Unexplored

6.5%

$1.39B

1,650 txns

TMcroaKFG

…AmAKx

New · May 2026

$23.4M

41 txns

28 others

combined

~$370M

~520 txns

Combined to 3 KYC-linked exchange deposits

OKX + Kraken + Binance · all active within 24 hours of this report

$15.17B

Exchange
Deposit address
Received
Status

OKX

TBtHBd5ZGVW3MjdsEHszrKucaJ7NzkfUc6

$5.67B

• Live

Kraken

TDL5Essu6rG9TzHF3BiqnEHcgkgNsc1hEZ

$5.36B

• Live

Binance

TPthiuuwnMTrqYkNSghbBMUkVJGe2ChZwS

$4.14B

• Live

KYC-linked exchange deposit (Arkham)

Unexplored — profiling recommended

New wallet — rotation signal (May 2026)

Proportional bars represent each recipient’s share of THCuQ27’s $21.44B lifetime outbound. Exchange labels sourced from Arkham Intelligence — third-party attribution, not exchange-confirmed. All three exchange deposit addresses confirmed active within 24 hours of this investigation being finalised.

Recipient	Label^A	Received	Txns	Status
TBtHBd5Z…NzkfUc6	OKX Deposit	$5.67B	2,309	Active 9h ago
TDL5Essu…Nsc1hEZ	Kraken Deposit	$5.36B	2,044	Active 4 days ago
TPthiuu…ChZwS	Binance Deposit	$4.14B	341	Active 14h ago
TSLyJNfq…jmked9v	Unexplored	$1.39B	1,650	Highest priority
TMcroaKFG…ibAmAKx	New wallet	$23.4M	41	Created May 2026

^A Exchange labels via Arkham Intelligence — third-party attribution, not exchange-confirmed.

TMcroaKFGBHZXYMxRGMvGJdwvjvibAmAKx first appeared in May 2026 and received $23.4M in its first two weeks. A fresh wallet receiving high-volume flows from established infrastructure is the standard wallet rotation signal — suggesting the operators are cycling out older, more visible addresses in real time.

The disclosure path

The account holder behind TBtHBd5Z at OKX, TDL5Essu at Kraken, and TPthiuu at Binance received a combined $15.17B from THCuQ27 across the documented lifetime. Each exchange has a KYC file. Each has the transaction history. A standard law enforcement request citing these deposit address hashes and the upstream circuit is sufficient to initiate disclosure under existing legal frameworks.

SECTION 07

Read backward

The full circuit, end to end.

Fraud proceeds enter at the feeder layer, aggregate through a 69,591-wallet mule network, relay through a 2-of-3 multisig processing $812M in 15 months, and exit to named KYC-verified accounts at three of the world’s largest regulated exchanges. At no visible point in this chain did exchange monitoring interrupt the flow.

TIER 1 — FEEDERS

TWUByRE ($59.4M) and TJbLini ($13.3M) plus 69,591 victim wallets averaging $2,013 per transaction. Both feeder wallets send to one address only — TWhC1Fv.

TIER 2 — MULE AGGREGATOR

TWhC1FvBoycGpu2bf5MSuGYva9oWcUD87A — $799.8M lifetime. Receives from 69,591 sources. Sweeps in $897K batches to TEkddeyN. Two outbound recipients only.

TIER 3 — TARGET RELAY

TEkddeyNsrKKzAX48MMzCrHHXLCbCHW619 — $812.3M lifetime. 2-of-3 multisig. 67% of outflow to TDDfqH, 31% to THCuQ27 (via intermediate routing). Automated just-in-time energy system. 33 maintenance wallets. Active March 2025–present.

TIER 4 — DISTRIBUTION

TDDfqHFh1JtKXq7pQV1qCx2bH8Q96vMBgL — $442.4M lifetime. 40,782 transactions to 8,043 end recipients averaging $2,456 each.

TIER 5 — RELAY AND EXIT

THCuQ27bSmD3ohTShjpnr1hDjp1bHNpS8o — $21.44B lifetime since January 2023. 33 outbound recipients. Top three confirmed as OKX ($5.67B), Kraken ($5.36B), and Binance ($4.14B) deposit addresses — all KYC-linked, all active within 24 hours of this report.

SECTION 08

Context

Why TRON, and why this keeps happening.

TRON settled roughly $2 trillion in USDT in Q1 2026. Over 10.9 million transactions cross the network every day. Fees are near-zero, settlement runs under three seconds, and there is essentially no friction in moving value across borders pseudonymously. That is exactly why monitoring failures at the exchange layer are so costly: when a circuit can move $812M through a single relay wallet in 15 months, the institutions positioned to interrupt it are the on/off ramps. When those ramps fail to flag counterparties whose on-chain behaviour has been visible for months, the rest of the network has no chokepoint at all.

None of the addresses in this circuit carried a risk flag in Dune Analytics, Tronscan, or OKLink when we began. The signal was entirely in the behaviour: a 2-of-3 multisig with a 0.006% net retention rate; a mule aggregator collecting from 69,591 sources; a relay wallet with $21.44B lifetime volume and a $573K net balance; and three exchange deposit addresses each receiving billions from a single wallet. All of it readable, in real time, on a public ledger.

What made this possible

Every query ran through Bitquery’s TRON stablecoin dataset (623GB, full TRON history). Dual wallet profiling, directional flow mapping, outbound recipient ranking, inbound sender ranking, cross-cluster edge detection, and timezone analysis — all in a single interface. Cross-verified against Arkham Intelligence, MetaSleuth, OKLink, and Tronscan. Transaction hashes and block timestamps confirmed on Tronscan UI.

dual_wallet_profile directional_flow_map recipient_rankings sender_volume_agg cross_cluster_edges timezone_analysis

SECTION 09

Still live

Open threads.

Every node in this circuit had a confirmed transaction on the date this investigation was finalised. The circuit is operational.

TSLyJNfqoH8MAPJKfC6sLt7A4arjmked9v

$1.39B received from THCuQ27 across 1,650 transactions since January 2023 — completely unexplored. Its downstream recipients have not been mapped. The highest-priority uninvestigated node in the circuit.

TQQhN3ECLLYdjHCUkS8d2UK5x3fZvdq3FR

Co-signer on the $100K Telegram transaction. One of three TEkddeyN multisig keyholders. Full counterparty profile not yet pulled. Profiling this address could identify the second controller of the target wallet.

TLRr4rA6opQ2h9csW5dH3X6BxmGw2rkuH6

Third TEkddeyN multisig keyholder. Unexplored. May be a cold wallet, a coordinator address, or a separate operator.

TGGJqVx6jV12119u6JLGmGzxf166666666

Primary TRX funder with 132 inbound refill transactions. Pulling those 132 inbound senders is the highest-probability path to a KYC-linked identity behind this operation.

TMcroaKFGBHZXYMxRGMvGJdwvjvibAmAKx

$23.4M received since May 2026. Possible active wallet rotation event. Real-time monitoring recommended.

REFERENCE

Addresses

Click any address to copy. Complete list for verification.

Circuit nodes (USDT layer)

TEkddeyNsrKKzAX48MMzCrHHXLCbCHW619

TARGET relay (L2)

TWhC1FvBoycGpu2bf5MSuGYva9oWcUD87A

Mule aggregator (L1)

TWUByREystJyvQ6fzu4yjkKsKGFGsPyhjX

Dedicated feeder (L0)

TJbLini24PV4gTXZsrBfwYkegzrScewZwy

Dedicated feeder (L0)

TDDfqHFh1JtKXq7pQV1qCx2bH8Q96vMBgL

Mass disburser (L3)

THCuQ27bSmD3ohTShjpnr1hDjp1bHNpS8o

Relay (L4)

Exchange exits (Arkham)

TBtHBd5ZGVW3MjdsEHszrKucaJ7NzkfUc6

OKX Deposit · $5.67B

TDL5Essu6rG9TzHF3BiqnEHcgkgNsc1hEZ

Kraken Deposit · $5.36B

TPthiuuwnMTrqYkNSghbBMUkVJGe2ChZwS

Binance Deposit · $4.14B

Unexplored high-priority

TSLyJNfqoH8MAPJKfC6sLt7A4arjmked9v

$1.39B from THCuQ27

TMcroaKFGBHZXYMxRGMvGJdwvjvibAmAKx

New wallet, May 2026

TQQhN3ECLLYdjHCUkS8d2UK5x3fZvdq3FR

Co-signer on $100K tx

TLRr4rA6opQ2h9csW5dH3X6BxmGw2rkuH6

Third multisig keyholder

TRX operational layer

TGGJqVx6jV12119u6JLGmGzxf166666666

Primary TRX funder (vanity)

TB4djHQ4aBJkxc3Ext3gneZno2fFMPdyuk

Legacy TRX funder

TEzPZwTxL2dVqkdNQmsCyCV1t39imF73vn

Mid-tier TRX distributor

TTAxbeRhSESRTYRCe3X5BHrTKFBVbSBGC1

Energy delegator

TRKsmaBFDqhpnvz8yPzW9XYAMuFoShnLe9

Energy delegator

TTWkcVzBNjrxmWa1yQJ6XCBPh8eQ37hWZ

Energy delegator

Verified transaction

402686127a620f59b91fae52d65b2743e522602d1d9dc0ce3691f284f3bf3b6e

Block 83,227,246

Date 1 Jun 2026 21:49:54 UTC

Amount 100,000 USDT

Route TEkddeyN → TDDfqH

Signer TQQhN3ECLLYdjHCUkS8d2UK5x3fZvdq3FR

Run the next investigation in minutes

Ask any question of the blockchain. Bitquery's AI Investigations agent traces funds, attributes wallets, and writes auditable reports across every major chain.

Explore AI Investigations

Legal disclaimer

This article is provided for informational and educational purposes only and reflects analysis of publicly available on-chain data as of the dates indicated. It does not constitute legal, financial, compliance, or investment advice.

The findings describe patterns observed in blockchain transaction data and third-party attribution sources including Bitquery, Arkham Intelligence, MetaSleuth, OKLink, and Tronscan. Wallet-to-entity attributions and exchange labels are based on these sources and on-chain behavioural analysis. They may be incomplete, may contain errors, or may change as additional data becomes available. Blockchain addresses are pseudonymous, and the presence of a transaction between two addresses does not by itself establish the identity, intent, or knowledge of any party.

References to specific exchanges describe transaction flows observed on-chain and inferences drawn from them. They are not assertions that any named entity knowingly facilitated, participated in, or is legally liable for unlawful conduct, and should not be read as accusations of criminal or regulatory wrongdoing against any specific company or individual.

Nothing herein should be relied upon as a definitive determination of fact. Readers should conduct their own independent verification before taking any action. The authors and publisher accept no liability for any loss or damage arising from reliance on this material.