Wednesday, June 24, 2026
OFAC's Latest ISIS-Linked TRON Wallet Designation Reveals a Larger Risk Network
Global News.png){kind=logo}
On June 22, 2026, OFAC designated a set of individuals and entities linked to ISIS financial facilitation. The action covered money service businesses, bureau de change operators, and two TRON addresses tied to Miloud Abderrahmane, also known as Ibrahim Ghazi.
Two wallet addresses were listed:
TBXMiRqUp1XH1zLazWu8cWitMAScv4HsYqTDFj8tYzfLDkwEMo4MJ2DfrbpMztuCCnanScorechain analyzed both addresses immediately after the designation. What the on-chain data reveals is more than a standard sanctions screening case. It shows a wallet cluster with a clear funding chain, repeated inflows from suspicious sources, and downstream exposure to exchange-linked infrastructure, all of it active long before OFAC's public action.
The first point Scorechain's analysis establishes is that these are not two isolated addresses. They are part of the same sanctioned entity cluster.
Both wallets are classified in Scorechain under a single entity:
This matters for compliance teams running exposure checks. A customer may not have transacted directly with the first listed address but may still carry exposure to another wallet in the same cluster, a connected counterparty, or a downstream recipient.
Address matching against a published sanctions list is a necessary starting point. It is not a sufficient compliance control.
TBXMiRqUp1XH1zLazWu8cWitMAScv4HsYq was active from February 14, 2024 to December 1, 2024.
The transaction profile was primarily USDT on TRON, with TRX used for gas and operational purposes:
The amounts are modest. That is consistent with many terrorist financing and facilitation cases. The significance of a wallet is defined by the entity behind it, the counterparties it touches, and the movement of funds across the network, not the size of the balances.
Scorechain identified the first wallet's funding source as an address linked to KuCoin infrastructure:
TKpn4QSQ6Q1fKkF67Ljz2qmnskrLXGi9tP
The funding transaction was recorded on February 14, 2024, the same day the first wallet became active.
This does not indicate any knowledge or involvement on the part of the exchange. It demonstrates that the sanctioned wallet had a direct on-chain link to exchange-connected infrastructure from its first day of operation.
For regulated institutions, this type of finding has a specific implication after a designation. Compliance teams need to run historical lookback analyses to determine whether their platform, their customers, or their counterparties had any exposure before the address appeared on a public sanctions list.
One of the more operationally significant findings in Scorechain's analysis is that the first OFAC-listed wallet received repeated inflows from an address classified as suspicious by Scorechain OSINT Intelligence:
TLj5jNLzaoR94c5WUH9uxpQAY3RZT6gh2y
The suspicious source transferred USDT to the sanctioned wallet on multiple occasions:
This is where the case moves beyond a pure sanctions screening question.
An OFAC designation confirms a status at the point in time it is published. On-chain intelligence can identify whether warning signals were already visible before that publication. In this case, Scorechain's OSINT-based risk signals flagged suspicious source exposure on this wallet before the public sanctions action. That is the operational value of continuous transaction monitoring over point-in-time screening.
After receiving inflows, the first wallet moved USDT to several wallets and exchange-linked entities. Scorechain observed transfers including:
TCss8bHmorF7nyWEYBSHSE4un2i1sWX13rTQhSszDcnsw1yVEQUD7vV11HX82uTyK5R6TCkFYLRBsz2ukGahP9TV1kcECcGN3qgEQ6Additional transfers went to addresses linked to LBank infrastructure, Binance infrastructure, and several unidentified wallets.
The pattern is consistent with a movement wallet, not a passive holding address. Funds arrived from exchange-linked and suspicious sources, then were redistributed across multiple counterparties.
TDFj8tYzfLDkwEMo4MJ2DfrbpMztuCCnan was active from December 1, 2024 to August 11, 2025.
Its transaction profile was smaller:
The critical detail is the funding source. Scorechain's analysis shows that the second OFAC-listed wallet was funded directly by the first OFAC-listed wallet on December 1, 2024:
This direct wallet-to-wallet transfer confirms the operational relationship between both addresses and supports their classification under the same sanctioned entity cluster.
After receiving funds from the first sanctioned wallet, the second address later transferred value to Binance-linked infrastructure:
The second wallet remained active until August 2025. The designation was issued in June 2026. That is a gap of nearly ten months between the last on-chain activity and the public action.
Any institution that had exposure to this wallet cluster between December 2024 and August 2025 needs to conduct a lookback analysis now. The designation creates a retroactive obligation to understand that exposure.
Five findings emerge from the graph:
The listed addresses are the entry point for any investigation. The graph is where the actual exposure path becomes visible.
For VASPs, exchanges, custodians, banks, and fintechs, this designation raises one immediate question:
Was there exposure before June 22, 2026?
The first wallet was active from February 2024. The second was active through August 2025. OFAC's designation came in June 2026. That is a multi-year window during which institutions could have had direct or indirect exposure without knowing it.
A proper post-designation review should cover:
TLj5jNLzaoR94c5WUH9uxpQAY3RZT6gh2yThe goal is not only to block future transactions against the listed addresses. It is to determine whether customers or counterparties interacted with any part of this network during the period it was active.
This case is a direct illustration of why address-based sanctions screening has structural limits.
Screening against the SDN list tells you whether a specific address has been designated. It does not tell you:
Scorechain's analysis of this OFAC action identified two TRON addresses under the same sanctioned entity, a direct inter-wallet transfer confirming the cluster relationship, repeated inflows from a suspicious OSINT-flagged source, exchange-linked exposure on both the inflow and outflow sides, and an active window stretching back more than two years before the public designation.
For compliance teams, this turns a sanctions update into an investigation workflow. The listed wallet tells you where to start. The graph tells you where the risk moved.
Scorechain provides sanctions screening and transaction monitoring across Bitcoin, Ethereum, TRON, Litecoin, Bitcoin Cash, XRP, Stellar, and over 50 other blockchains and tokens, including USDT on TRON.
A wallet cluster groups addresses that Scorechain's analysis identifies as belonging to the same entity. This means exposure checks extend beyond a single listed address to cover the full set of wallets associated with the same sanctioned individual or organization.
Scorechain continuously crawls open-source intelligence sources to identify addresses associated with suspicious or high-risk activity. These addresses receive risk scores in Scorechain independently of official sanctions designations, providing earlier warning signals for compliance teams.
A lookback analysis reviews historical transaction data to determine whether your customers or counterparties had direct or indirect exposure to a newly designated address or wallet cluster before the designation was issued. Scorechain's platform supports this through retroactive transaction monitoring and graph analysis.
Scorechain updates its sanctions coverage rapidly following OFAC designations to ensure compliance teams can run exposure checks as quickly as possible after a new action.
Scorechain is a blockchain analytics and crypto compliance company serving VASPs, exchanges, banks, fintechs, custodians and regulators across 45+ countries. Our platform covers transaction monitoring, wallet screening, sanctions screening, and blockchain investigations across 50+ blockchains.
Contact us to run an exposure check against this OFAC designation or to discuss your sanctions compliance program.
