Tether USD (hereinafter referred to as USDT) is a centralized stable token issued by Tether, which is bound by smart contracts in the blockchain network and anchored to the US dollar. In addition to the anonymous transfer and permissionless use characteristics of other cryptocurrencies, USDT also gives the issuer huge scheduling authority, allowing developers to issue and destroy USDT tokens of a certain address, or limit the operation rights of a specific address to USDT, which is what the industry calls "Tether Freeze".
This type of centralized freezing activity is usually triggered by law enforcement requests from government departments around the world or temporary major crypto security incidents. It aims to prevent known illegal and criminal activities using USDT and intercept damaged assets to prevent the expansion of damage. As the adoption of USDT in the real financial system increases, illegal and criminal activities involving currency occur frequently, resulting in the increasing prevalence of Tether freezing activities, which has caused a large negative business impact on a large number of web3 companies that are operating normally but accidentally collect risky crypto funds, and even brought legal risks.
This article will take the case of Cambodia Huiwang Group being frozen by Tether for 29.62 million USDT as an example to analyze and explain this.
Overview of Huiwang's business scale
Huiwang Group is a large financial group located in Cambodia, with business segments including cryptocurrency wallets, payments, transaction guarantees, insurance, cryptocurrency exchanges, etc. Its core payment and guarantee business uses a large amount of USDT. According to the address tag data of Bitrace's DeTrust on-chain risk fund monitoring and management platform, HuionePay and HuioneGuarantee have more than 180,000 official and user addresses, making it the largest local crypto company with influence radiating to the entire Southeast Asia and even East Asia.
According to Bitrace monitoring, between June 2022 and June 2024, the monthly fund size of all known HuionePay and Huione Guarantee business addresses has maintained an upward trend, from a minimum of 1.03 billion USDT in June 2022 to a maximum of 8.39 billion USDT in April 2024, with a total fund size of 102.397 billion USDT in two years.
During this period, Huione-related business addresses have also maintained a large amount of reserves. Between June 2022 and June 2024, the average daily balance of all known HuionePay and HuioneGuarantee business addresses reached 35.68 million USDT.
Since Southeast Asia is a high-incidence area for criminals to use cryptocurrencies for illegal activities, Huione's business addresses have been affected to a certain extent. Taking the core business address TL8TBp currently used by HuioneGuarantee as an example, according to Bitrace monitoring, from July 1, 2023 to June 30, 2024, a total of 2.158 billion USDT flowed into this address, of which 35 million were high-risk funds for online gambling, accounting for 1.62%, 339 million were high-risk funds for black and gray transactions, accounting for 15.71%, 54 million were high-risk funds for money laundering, accounting for 2.50%, and 2 million were high-risk funds for fraud, accounting for 0.09%.
Analysis of the frozen address funds of Huiwang
On July 13, 2024, Tronscan showed that the Tron network address TNVaKW was restricted by Tether, of which up to 29.62 million USDT was frozen and could not be transferred. Bitrace intervened in the investigation immediately.
Preliminary investigation results show that only five days after TNVaKW was created, the total capital transaction scale exceeded 1 billion USDT, and deposits were collected from a large number of Tron addresses marked as HuionePayUser, as well as funds from other HuionePay official addresses and HuioneGuarantee official addresses. Therefore, Bitrace confirmed that the address was Huione's official business address, and determined that the reason for the freeze was the receipt of a large amount of stolen crypto funds.
The next day, the well-known chain detective ZachXBT further stated on the social platform that in the earlier theft of the Japanese exchange DMM, the relevant stolen assets had entered HuionePay through cross-chain exchange.
Based on the address disclosed by ZachXBT, Bitrace discovered more addresses related to the cleaning activities and reviewed the entire capital chain. Among them -
< >165 BTC through Avalanche Bridge cross-chain to Avalanche
< > 182 BTC through ThorChain Bridge cross-chain to Ethereum
< > 263 BTC through Threshold Birdge cross-chain to Ethereum
After tBTC, BTC.b and other assets were exchanged for USDT, USDC, DAI and other assets worth 31.82 million US dollars on chains such as Avalanche and Ethereum, they were exchanged to the TRON network through SWFT cross-chain, and about 14 million of them eventually entered TNVaKW.
It is worth noting that DMM is only one of the public security incidents in which funds flowed into Huione's address. When we investigated other incidents, we found that part of the funds in the Poloniex exchange theft were also related to Huione. Between June 5 and 7, 2024, at least 1.05 million USDT involved in the case flowed into HuionePay user addresses, and successively flowed into multiple HuionePay official business addresses including TLmktr, TR5F41, and TNVaKW.
There is no direct evidence that the freezing of TNVaKW is related to the funds of these two security incidents, but considering that other business addresses of Huione have not been frozen, this at least shows that the freezing action is not aimed at Huione Group itself.
Analysis of the run on Huiwang Payment
As mentioned above, the average daily balance of all known HuionePay and HuioneGuarantee business addresses is 35.68 million USDT, while in the three months before the freezing incident, the value has remained at around 40 million USDT. The frozen 29.63 million USDT is equivalent to 75% of its reserves, and there is a certain amount of withdrawal pressure.
Analyze the latest HuionePay business address TQuFSv -
This address was enabled 2.5 hours after TNVaKW was frozen, and began to process HuionePay users' recharge and withdrawal needs, and received 114,800 USDC inheritance from TNVaKW. As of 2024/7/16 9:34:39, its transaction volume has reached 733 million USDT.
The income and expenditure of TQuFSv were counted on an hourly basis, and no obvious abnormal funds were found. The address currently still has a balance of 12.88 million USDT.
Analyzing TQuFSv's counterparties, the top ten counterparties in terms of fund inflow transferred a total of 147 million USDT, of which two addresses were marked as HuioneGuarantee addresses, which transferred 73 million USDT and 15 million USDT to TQuFSv respectively, accounting for 23.64% of the total inflow; the top ten counterparties in terms of fund outflow obtained a total of 80 million USDT from TQuFSv, of which three addresses were marked as HuioneGuarantee addresses, and obtained funds of 14 million USDT, 8 million USDT and 6 million USDT respectively, accounting for 6.8% of the total outflow. 7.76%.
This shows that HuionePay experienced a large-scale outflow of funds after the freezing incident, but the official promptly supplemented the reserve from other business addresses to meet the user's withdrawal request.
KYT is important
For large-scale Crypto-using companies like Huione, sufficient capital throughput often attracts the attention of money laundering gangs. Under the increasingly perfect law enforcement actions involving currency cases around the world, the lack of ability to identify the risks of platform user address funds may affect the platform business and even cause the operator to be investigated.
Therefore, how to use professional KYT tools to accurately identify risky crypto funds and handle platform risk events based on necessary risk control procedures has become a matter that currency-related companies have to consider.
