Tether USD (hereinafter referred to as USDT) is a centralized stablecoin issued by Tether, which is bound by smart contracts in the blockchain network and anchored to the US dollar. In addition to the anonymous transfer and permissionless use characteristics of other cryptocurrencies, USDT also gives the issuer huge scheduling authority, allowing developers to issue and destroy USDT tokens of a certain address, or limit the operation authority of a specific address on USDT, which is also known as "Tether Freeze" in the industry.

This type of centralized freezing activity is usually triggered by law enforcement requests from governments around the world or temporary major crypto security incidents, and is intended to prevent known illegal and criminal activities using USDT, and intercept damaged assets to prevent further damage. As USDT is increasingly adopted in the real financial system, illegal and criminal activities involving currency are frequent, resulting in more widespread Tether freezing activities, which has had a significant negative impact on the business of a large number of web3 companies that are operating normally but accidentally collect risky crypto funds, and even brought legal risks.

This article will take the incident in which Cambodia Huiwang Group had 29.62 million USDT frozen by Tether as an example to analyze and explain this.

Overview of Huiwang's business scale

Huione Group is a large financial group located in Cambodia, with business sectors including cryptocurrency wallets, payments, transaction guarantees, insurance, cryptocurrency exchanges, etc. Its core payment and guarantee businesses use a large amount of USDT. According to the address tag data of DeTrust on-chain risk fund monitoring and management platform under Bitrace, the number of official and user addresses of HuionePay and HuioneGuarantee exceeds 180,000. It is the largest local crypto enterprise, with influence radiating to the entire Southeast Asia and even East Asia.

According to Bitrace monitoring, between June 2022 and June 2024, the monthly capital scale of all known HuionePay and Huione Guarantee business addresses has maintained an upward trend, from a minimum of 1.03 billion USDT in June 2022 to a maximum of 8.39 billion USDT in April 2024. The total capital scale in two years reached 102.397 billion USDT.

During this period, Huione-related business addresses have also maintained a large amount of reserves. Between June 2022 and June 2024, the average daily balance of all known HuionePay and HuioneGuarantee business addresses reached 35.68 million USDT.

Because Southeast Asia is a high-incidence area for criminals to use cryptocurrencies for illegal activities, Huione's business address has been affected to a certain extent. Taking HuioneGuarantee's core business address TL8TBp as an example, according to Bitrace monitoring, from July 1, 2023 to June 30, 2024, a total of 2.158 billion USDT flowed into the address, of which 35 million was high-risk funds for online gambling, accounting for 1.62%, 339 million was high-risk funds for black and gray production transactions, accounting for 15.71%, 54 million was high-risk funds for money laundering, accounting for 2.50%, and 2 million was high-risk funds for fraud, accounting for 0.09%.

Analysis of the funds at the frozen address of Huiwang

On July 13, 2024, Tronscan showed that the TRON network address TNVaKW was restricted by Tether, with up to 29.62 million USDT frozen and unable to be transferred. Bitrace immediately intervened in the investigation.

Preliminary investigation results show that only five days after TNVaKW was created, the total transaction volume exceeded 1 billion USDT, and deposits were received from a large number of TRON addresses marked as HuionePayUser, as well as funds from other HuionePay official addresses and HuioneGuarantee official addresses. Therefore, Bitrace confirmed that the address was Huione's official business address, and determined that the reason for the freeze was the receipt of a large amount of stolen crypto funds.

The next day, ZachXBT, a well-known on-chain detective, further stated on the social platform that in the earlier theft of the Japanese exchange DMM, the relevant stolen assets had entered HuionePay through cross-chain exchange.

According to ZachXBT’s public addresses, Bitrace discovered more addresses related to the laundering activities and reviewed the entire funding chain.

<>165BTC cross-chain to Avalanche via AvalancheBridge

<>182BTC cross-chain to Ethereum via ThorChainBridge

<> 263 BTC cross-chain to Ethereum via ThresholdBirdge

The acquired tBTC, BTC.b and other assets were exchanged for USDT, USDC, DAI and other assets worth 31.82 million US dollars on chains such as Avalanche and Ethereum, and then exchanged to the TRON network through cross-chain. Finally, about 14 million of them entered TNVaKW.

It is worth noting that DMM is only one of the public security incidents in which funds flowed into Huione's address. When we investigated other incidents, we found that part of the funds in the Poloniex exchange theft were also related to Huione. Between June 5 and 7, 2024, at least 1.05 million USDT involved in the case flowed into HuionePay user addresses, and successively flowed into multiple HuionePay official business addresses including TLmktr, TR5F41, and TNVaKW.

There is currently no direct evidence that the freezing of TNVaKW is related to the funds of the two security incidents, but considering that Huione’s other business addresses have not been frozen, this at least shows that the freezing action is not aimed at the Huione Group itself.

Analysis of the run on Huiwang Payment

As mentioned above, the average daily balance of all known HuionePay and HuioneGuarantee business addresses is 35.68 million USDT, while in the three months before the freezing incident, the value remained at around 40 million USDT. The frozen 29.63 million USDT is equivalent to 75% of its reserves, which means there is a certain amount of withdrawal pressure.

Analysis of the latest HuionePay business address TQuFSv——

This address was activated 2.5 hours after TNVaKW was frozen, and began to process HuionePay users' recharge and withdrawal needs, and received 114,800 USDC inheritance from TNVaKW. As of 2024/7/16 9:34:39, its transaction volume has reached 733 million USDT.

The income and expenditure of TQuFSv were counted on an hourly basis, and no obvious abnormal funds were found. The address currently still has a balance of 12.88 million USDT.

An analysis of TQuFSv's counterparties shows that the top ten counterparties in terms of fund inflow transferred a total of 147 million USDT, of which two addresses were marked as HuioneGuarantee addresses, which transferred 73 million USDT and 15 million USDT to TQuFSv respectively, accounting for 23.64% of the total inflow; the top ten counterparties in terms of fund outflow obtained a total of 80 million USDT from TQuFSv, of which three addresses were marked as HuioneGuarantee addresses, and obtained funds of 14 million USDT, 8 million USDT, and 6 million USDT respectively, accounting for 7.76% of the total outflow.

This shows that HuionePay experienced a large-scale capital outflow after the freezing incident, but the official promptly replenished the reserve from other business addresses and was able to meet users' withdrawal requests.