TL;DR: We cross-referenced the entire OFAC sanctions list against Tether’s on-chain freeze database. Every single OFAC-sanctioned crypto address on Ethereum and Tron is frozen — 195 addresses across 50 entities. But that’s only 2.3% of Tether’s 8,457 total freezes. North Korea leads with 64 frozen addresses. Tether sometimes freezes addresses months before OFAC designates them. And one Garantex address was unfrozen, sat dormant for two months with zero transactions, then was re-frozen.
North Korean weapons bankers, Hamas fundraisers, Russian cybercriminal exchanges, fentanyl traffickers — they all have one thing in common. Every single one of their USDT wallets is frozen.
But here’s what nobody has asked until now: who exactly are these 50 sanctioned entities? What crimes put them on the list? And does Tether actually freeze all of them — or just the ones that make headlines?
We went address by address to find out.
On December 9, 2023, something unusual happened on the Ethereum and Tron blockchains. In the span of 39 minutes — from 11:25 to 12:04 UTC — Tether submitted 159 freeze proposals. One after another, addresses belonging to North Korean hackers, Russian cybercriminals, Tornado Cash developers, drug traffickers, and election interference operatives were blacklisted.
It was the largest single OFAC compliance action in Tether’s history. And until now, no one had mapped out exactly who got frozen, when, and why.
We did. We cross-referenced the complete OFAC Specially Designated Nationals (SDN) list against every freeze proposal in our USDT Freeze Dashboard database. The result: a comprehensive map of how Tether’s freeze mechanism intersects with US sanctions enforcement — address by address, entity by entity, crime category by crime category.
Here’s what we found.
The Numbers: 100% OFAC Compliance, But That’s Only 2.3% of the Story
Let’s start with the headline number: every single OFAC-sanctioned Ethereum and Tron address is frozen in Tether’s database. That’s 195 unique addresses across 50 sanctioned entities, covered by 198 freeze proposals (197 blacklistings plus one notable unblacklisting — more on that later).
But here’s the twist. Those 195 addresses represent just 2.3% of the 8,457 total addresses Tether has frozen since 2017. The other 97.7% — more than 8,200 addresses — were frozen for reasons that don’t appear on any public OFAC list. Figure 1 shows just how lopsided this ratio is.
Figure 1: OFAC-sanctioned addresses account for just 2.3% of Tether’s total frozen addresses. The vast majority of freezes come from law enforcement requests, fraud investigations, and other non-OFAC compliance actions.
That means the vast majority of Tether’s freeze actions come from direct law enforcement requests, internal investigations, and compliance operations that operate entirely outside the public sanctions framework. Tether has stated it works with more than 235 law enforcement agencies across 55 jurisdictions, and the data backs that up.
So while OFAC compliance gets the headlines, the real enforcement machine is much bigger — and much less visible.
The December 9, 2023 Sweep: 39 Minutes That Changed Everything
Before December 2023, Tether’s approach to OFAC sanctions was… selective. Only three sanctioned entities had been frozen:
- Sim Hyon Sop (North Korea weapons proliferation) — frozen March 2023
- AL-LAW Tawfiq Muhammad Sa’id (Hezbollah financier) — frozen June 2023, with $673,435 in USDT seized
- Gaza Now (Hamas-linked media) — frozen October 11, 2023, just three days after the October 7 attack
Then, on December 1, 2023, Tether announced a new voluntary wallet-freezing policy targeting OFAC’s SDN list. Eight days later, they pulled the trigger.
In that 39-minute window on December 9, Tether froze addresses belonging to:
| Entity | Crime Category | Addresses Frozen |
|---|---|---|
| Lazarus Group | North Korea (DPRK3) | 8 |
| Roman Semenov / Tornado Cash | N. Korea-linked Laundering (DPRK3) | 8 |
| Peijnenburg Alex | Drug Trafficking | 7 |
| CHATEX | Cybercrime (CYBER2) | 5 |
| SUEX OTC | Cybercrime (CYBER2) | 4 |
| Secondeye Solution | Election Interference | 4 |
| Kim Sang Man | North Korea (DPRK4) | 2 |
| Grimm Matthew Simon | Drug Trafficking | 2 |
| Lifshits Artem | Election Interference | 2 |
| Shen Xingbiao | Drug Trafficking | 2 |
| Zhang Wei | Drug Trafficking | 2 |
| + 18 more entities | Various | Various |
The media covered it as “Tether freezes 41 crypto wallets tied to sanctions.” Our data shows that of the 159 total addresses frozen that day, 65 belonged to OFAC-sanctioned entities — far more than the 41 reported. The remaining 94 were non-OFAC freezes executed in the same batch, likely from law enforcement requests.
Blockworks called it “16 months later, Tether finally bends to OFAC”. The on-chain data tells us exactly how they did it: not gradually, not one-by-one, but in a single massive batch. From a compliance perspective, this was a switch being flipped, not a dial being turned.
Figure 2 shows this pattern clearly — the December 2023 spike dwarfs every other month, with subsequent freezes trickling in as OFAC designated new entities through 2024 and 2025.
Figure 2: Timeline of OFAC-related Tether freeze proposals (addBlackList actions) from 2023 to 2025. Each bar represents the number of freeze proposals submitted that month. The December 2023 bar (66 proposals, including 65 on Dec 9 alone) dominates the chart. Later spikes correspond to new OFAC designations: CHEIL Credit Bank (Nov 2025, 34), Ansarallah/Houthis + CHEIL (Apr 2025, 23), and Garantex/Grinex re-freeze (Aug 2025, 18). Total: 197 addBlackList proposals across all months.
Breaking Down the Crime Categories
The 50 OFAC-sanctioned entities frozen by Tether fall into five distinct crime categories, as shown in Figure 3. Each tells a different story about how sanctioned actors use — and lose — their USDT.
Figure 3: OFAC-sanctioned addresses frozen by Tether, grouped by crime category. North Korea leads with 64 addresses (driven by CHEIL Credit Bank’s 53 Tron wallets), followed by cybercrime (56 addresses across 18 entities) and terrorism/Iran (36 addresses across 8 entities). Each address is counted once under its primary crime category; entities sanctioned under multiple programs (e.g., Garantex under both CYBER4 and RUSSIA-EO14024) are classified by their primary criminal activity.
North Korea: 64 Addresses, 4 Entities
North Korea’s crypto operation is the most prolific in our dataset by address count, dominated by two entities: CHEIL Credit Bank (53 addresses) and the Lazarus Group (8 addresses).
CHEIL Credit Bank is a North Korean financial institution sanctioned by OFAC since 2017, operating under aliases like “First Credit Bank” and “Kyongyong Credit Bank.” On November 4, 2025, OFAC listed 53 cryptocurrency addresses belonging to the bank — all on the Tron network, all holding USDT.
Here’s what’s interesting: 26 of those 53 addresses were already blacklisted by Tether before OFAC even published them. Tether was ahead of OFAC. Between June 2023 and May 2025, these wallets collectively received more than $12.7 million, funding DPRK ransomware operations and IT worker schemes targeting US companies.
Our data shows the first CHEIL freeze on April 30, 2025, with the last on November 5, 2025 — meaning Tether continued freezing newly discovered addresses over a 6-month period. You can explore all CHEIL Credit Bank frozen addresses on our dashboard, such as TA3941uFAvmVibSkQ6fMJXxmaSNovX86mz.
The Lazarus Group needs little introduction. North Korea’s state-sponsored hacking unit has stolen billions in cryptocurrency, including the $1.5 billion Bybit exploit in February 2025. Their 8 Ethereum addresses in our dataset were all frozen during the December 9, 2023 sweep. These are the addresses OFAC designated in 2022 after tracing $455 million in stolen funds from the Axie Infinity Ronin bridge hack.
Explore Lazarus Group frozen addresses on the dashboard, such as 0x098B716B8Aaf21512996dC57EB0615e2383E2f96.
Terrorism & Iran: 36 Addresses, 8 Entities
This is where geopolitics meets the blockchain. The entities here — Ansarallah (the Houthis), Gaza Now, Al-Jamal Sa’id (a Houthi financial official), and several Iran-linked actors — are tied to active conflicts and some of the most consequential sanctions programs in OFAC’s portfolio.
Ansarallah (Houthis) — 8 addresses on Tron, all USDT. Designated as a Foreign Terrorist Organization in February 2024, their wallets had a combined total inflow of nearly $900 million — a staggering figure for a designated terror group. Our database shows the first Tether freeze on December 11, 2024, with additional addresses frozen through April 2, 2025, as OFAC expanded sanctions on Houthi weapons procurement networks. View Ansarallah frozen addresses: TGUPpmW2bAnMCLe5ih2CFisfCHk4gTFDsx (Dec 2024 batch), TC4VsFHJdZ66BdwobZxkudVZBVmQZgCP65 (Apr 2025 batch)
Gaza Now — 7 addresses across ETH and Tron. This is one of the most time-sensitive cases in our dataset. The first Tether freeze came on October 11, 2023 — just three days after the October 7 Hamas attack on Israel. The US and UK didn’t formally sanction Gaza Now until March 27, 2024, meaning Tether moved five months before official OFAC designation. According to media reports, Gaza Now raised only about $21,000 in crypto after October 7 — most of which was quickly frozen.
View Gaza Now frozen addresses: 0xE950DC316b836e4EeFb8308bf32Bf7C72a1358FF, TTgcTTNbNuFdbrhvbjMZVrdU5KALyzDaPw
Zedcex Exchange — 7 Tron addresses, designated under Iran sanctions (IFSR, IRAN-EO13902, SDGT). Frozen between June 20 and July 2, 2025. An Iranian-linked exchange facilitating sanctions evasion.
Al-Jamal Sa’id Ahmad Muhammad — 5 USDT addresses on Tron, a senior financial official linked to Houthi/Hezbollah operations. All frozen on December 20, 2024.
Cybercrime: 56 Addresses, 18 Entities
Sanctioned crypto exchanges, ransomware operators, botnet kingpins, election interference operatives — the cybercrime bucket catches everything digital. Figure 4 ranks the top entities by frozen address count across all categories.
Figure 4: Top 10 OFAC-sanctioned entities by number of addresses frozen by Tether. CHEIL Credit Bank dominates with 53 addresses, all on Tron. Garantex and Grinex together account for 17 addresses — reflecting OFAC’s sustained campaign against the Garantex ecosystem.
Garantex — The biggest story here, and it deserves its own section (see below).
Roman Semenov / Tornado Cash — 8 Ethereum addresses. Semenov co-founded the crypto mixing service Tornado Cash, which OFAC sanctioned in August 2022 after it was used to launder over $1 billion, including funds stolen by the Lazarus Group. Semenov himself was sanctioned in August 2023 and charged with conspiracy to commit money laundering. He’s believed to be in Russia, still wanted by the FBI.
Interestingly, OFAC removed Tornado Cash itself from the SDN list in March 2025, following a legal challenge. But Semenov’s personal addresses remain sanctioned — and frozen. Explore his frozen addresses on the dashboard, such as 0xdcbEfFBECcE100cCE9E4b153C4e15cB885643193.
SUEX OTC — 4 ETH addresses. SUEX was the first crypto exchange sanctioned by OFAC in September 2021, for facilitating transactions from at least 8 ransomware variants. All addresses frozen during the December 9, 2023 sweep.
CHATEX — 5 ETH addresses. Another Russian-linked exchange sanctioned in November 2021 for facilitating ransomware payments. Also frozen in the December 2023 sweep.
Grinex — 7 Tron addresses. Sanctioned under CYBER4 alongside Garantex-related entities. Grinex was frozen by Tether on August 15, 2025 — the same day Garantex was re-frozen, suggesting coordinated enforcement against Garantex’s successor operations.
Election Interference Cluster — Secondeye Solution (4 addresses), Lifshits Artem (2), Andreyev Anton (1), SOUTHFRONT (2). All linked to Russian election interference operations under OFAC’s CYBER2 and ELECTION-EO13848 programs. All frozen December 9, 2023.
Drug Trafficking: 27 Addresses, 12 Entities
The drug trafficking category spans three continents. Notable entities:
Peijnenburg Alex Adrianus Martinus — 7 ETH addresses, a Dutch national sanctioned under the fentanyl-focused Executive Order 14059. All frozen December 9, 2023.
Chinese precursor chemical networks — Shen Xingbiao (2 addresses), Zhang Wei (2), Xia Fengbing (1), Wang Jiantong (1), Wang Mingming (1). All sanctioned under the same EO for supplying fentanyl precursor chemicals. Frozen across December 2023–2024.
Sokolovski Rolan — 5 addresses across ETH and Tron. Sanctioned under the ILLICIT-DRUGS executive order for his role in drug-related money laundering. Frozen November 20, 2025.
Russia-Related: 12 Addresses, 8 Entities
Task Force Rusich — 3 addresses (ETH + Tron). A Wagner Group-linked paramilitary unit fighting in Ukraine, sanctioned under Russia sanctions. Frozen December 9, 2023.
OKO Design Bureau — 2 addresses. A Russian military technology supplier. Frozen May 2024.
Aeza Group — 1 Tron address. A Russian bulletproof hosting provider sanctioned under both CAATSA and CYBER4 programs. Frozen July 2, 2025.
Other Russia-linked entities include Gambashidze (election interference), Chirkinyan Elena, Magomedov, and Zimenkov Jonatan — individuals sanctioned for various Russia-related activities.
The Garantex Saga: Freeze, Unfreeze, Re-Freeze
Garantex is the most interesting case in our dataset. Its on-chain freeze history, shown in Figure 5, reads like a compliance thriller.
Figure 5: The Garantex freeze timeline — from the first freeze in December 2023, through a rare unfreeze in June 2025, to a mass re-freeze of all remaining addresses in August 2025. This is the only OFAC entity in our dataset that shows a removeBlackList event.
April 2022: OFAC sanctions Garantex, a Moscow-based crypto exchange linked to over $100 million in transactions involving darknet markets and ransomware groups (including Conti and the Hydra marketplace).
December 2, 2023: Tether freezes the first Garantex Ethereum address — one week before the big OFAC sweep.
December 9, 2023: A second Garantex address is frozen during the batch sweep.
March 2025: International law enforcement seizes Garantex’s domains. Tether assists the Secret Service in freezing $23 million tied to the exchange. Days later, founder Aleksej Besciokov is arrested in Kerala, India while vacationing with his family. He faces charges carrying up to 20 years for money laundering and IEEPA violations.
June 21, 2025: Here’s where it gets interesting. Tether unfreezes one Garantex address (0xD8500C631dC32FA18645B7436344a99E4825e10e). This is one of only a handful of removeBlackList actions in our entire database. The reason isn’t public, but it may relate to ongoing legal proceedings or asset recovery operations. Notably, our on-chain data shows zero USDT transfers on this address during the nearly two months it remained unfrozen — suggesting the unfreeze may have been procedural rather than operational.
August 15, 2025: The pendulum swings back. Tether freezes 9 Garantex addresses in a single day — 3 on Tron, 6 on Ethereum — including a re-freeze of 0xD8500C631dC32FA18645B7436344a99E4825e10e. This brings the total Garantex frozen addresses to 10. On the same day, Tether also froze addresses belonging to Grinex (7 addresses) and Old Vector LLC (2 addresses) — entities designated under CYBER4 alongside Garantex’s network.
The Garantex story illustrates something important: USDT freezing isn’t a one-time event. It’s an ongoing process that evolves alongside law enforcement operations. Addresses get frozen, sometimes unfrozen, and then frozen again as investigations progress and new intelligence emerges.
Explore all 10 Garantex frozen addresses on our dashboard, such as 0xD8500C631dC32FA18645B7436344a99E4825e10e (Dec 2023 batch), 0x8dce2aac0de82bdcaf6b4373b79f94331b8e4995 (Aug 2025 batch), and TFwjPScaJRCbSWVAywE1S1WgaUgSnyYUbD (Tron, Aug 2025 batch).
The Pre-Emptive Pattern: When Tether Moves Before OFAC
Here’s something we didn’t expect: Tether doesn’t always wait for OFAC. In several cases, addresses were frozen before they appeared on the official SDN list. Figure 6 visualizes the gap between Tether’s freeze actions and OFAC’s official designations.
Figure 6: The pre-emptive pattern — Tether froze addresses months before OFAC officially designated them. Gaza Now was frozen 5 months before its OFAC designation; 26 of CHEIL Credit Bank’s 53 addresses were frozen 6 months before OFAC listed them.
Gaza Now: Frozen October 11, 2023. OFAC designation: March 27, 2024. Tether was 5 months early.
CHEIL Credit Bank: 26 of 53 addresses frozen before the November 4, 2025 OFAC listing — confirmed by our freeze database.
What does this mean? Tether likely maintains its own intelligence capabilities — or works closely enough with law enforcement and blockchain analytics firms — to identify sanctioned entities’ wallets before official OFAC designations drop. For compliance teams, the implication is clear: Tether’s freeze database can be a leading indicator, not just a lagging response to sanctions lists.
What About the Other 97.7%?
Our OFAC matching covers 195 addresses — just 2.3% of the 8,457 total frozen addresses. So what triggered the other 8,262 freezes?
We don’t have a public breakdown, but based on Tether’s disclosures and law enforcement press releases, the categories likely include:
-
Direct law enforcement requests — Tether works with 235+ agencies across 55 countries. Individual freeze requests from police, FBI, DOJ, or foreign equivalents make up a large portion.
-
Exchange hacks and stolen funds — When exchanges get hacked (like the $1.5B Bybit exploit), stolen USDT is quickly frozen.
-
Fraud and pig butchering schemes — Romance scams and investment fraud generate enormous volumes of frozen addresses.
-
Court orders and civil forfeiture — The DOJ’s June 2025 action to freeze $225 million in USDT was a civil asset forfeiture case.
-
Internal compliance flags — Tether’s own monitoring systems may flag suspicious patterns.
The OFAC list, while comprehensive for designated entities, captures only a small fraction of the criminal ecosystem. The real enforcement picture is much broader.
What This Means for Compliance Teams
If you’re running compliance at a crypto exchange or financial institution, here’s what matters:
1. SDN screening alone won’t cut it. If OFAC-listed addresses are only 2.3% of Tether’s freezes, then 97.7% of your risk comes from somewhere else. You need transaction monitoring, behavioral analysis, and law enforcement coordination — not just list-matching.
2. Watch for Tether freezes that aren’t on the SDN list yet. When Tether freezes an address before OFAC designates it, that’s a signal. Don’t dismiss it just because it’s not on the list — it may mean the designation is coming.
3. Treat the freeze database as a real-time compliance feed. Since Tether started disclosing blacklist events in real time (September 2025), the freeze database is effectively a live signal. BlockSec’s Phalcon Compliance integrates this data so you can monitor exposure to sanctioned and frozen addresses as it happens.
4. Not all freezes carry the same risk. An address frozen because of North Korean hacking carries different implications than one frozen for drug trafficking. Understanding the why behind a freeze helps you calibrate your response — and explain it to regulators.
How to Check Your Exposure
Want to see if any of these OFAC-sanctioned addresses appear in your transaction history? Here’s how:
-
Check the USDT Freeze Dashboard — search any address to see its freeze status, timeline, and related proposals.
-
Use Phalcon Compliance — BlockSec’s compliance tool lets you scan wallets and transactions against both OFAC lists and Tether’s freeze database simultaneously. It provides real-time alerts when your addresses interact with sanctioned or frozen wallets.
-
Monitor the SDN list directly — OFAC’s SDN search tool is free and includes all designated crypto addresses.
Methodology
A note on scope: The OFAC SDN list contains a total of 767 cryptocurrency addresses (751 unique) across 80 sanctioned entities and 18 blockchains, as of February 2026. Bitcoin addresses make up the majority (519, or 68%), since many early sanctions targeted ransomware and darknet market actors who primarily used BTC. Our analysis focuses on the 195 unique addresses on Ethereum and Tron — the two chains where Tether USDT operates. These represent about 27% of all OFAC-listed crypto addresses.
It’s also worth noting that OFAC’s listed addresses are not necessarily exhaustive. Sanctions target entities, not addresses. A sanctioned group like Lazarus may control thousands of wallets, but OFAC only lists the ones they’ve publicly identified. The 195 addresses we analyze here are the officially published subset — the real number of wallets controlled by these 50 entities is almost certainly larger.
For this analysis, we:
-
Downloaded the complete OFAC SDN advanced XML file and extracted all cryptocurrency address entries tagged as Ethereum, Tron, or USDT. OFAC labels some addresses by token (USDT) rather than by chain, so after resolving these to their actual chains and deduplicating, we arrived at 195 unique addresses on Ethereum and Tron across 50 sanctioned entities.
-
Cross-referenced these 195 addresses against our USDT Freeze Dashboard database, which tracks every
addBlackListandremoveBlackListaction submitted to Tether’s multi-sig contract on Ethereum and Tron. -
Grouped results by sanctioned entity and crime category. The primary mapping uses OFAC program codes: DPRK3/4 = North Korea, SDGT/FTO/IFSR = Terrorism & Iran, CYBER2/3/4 = Cybercrime, ILLICIT-DRUGS-EO14059 = Drug Trafficking, RUSSIA-EO14024 = Russia Sanctions. Many entities are sanctioned under multiple programs — for example, Garantex carries both CYBER4 and RUSSIA-EO14024. In these cases, we classify each entity once by its primary criminal activity (what the entity actually does) rather than counting it in multiple categories. Garantex and Cryptex are classified as Cybercrime because they are crypto exchanges facilitating cybercriminal transactions; Roman Semenov is classified as Cybercrime (Tornado Cash founder) despite his DPRK3 designation, which reflects Lazarus Group’s use of Tornado Cash rather than Semenov’s own nationality or affiliation.
-
Verified news stories and designation dates against public sources (OFAC press releases, DOJ announcements, blockchain analytics firm reports) to construct the timeline and narrative context.
All data is based on the OFAC SDN list and our dashboard database as of February 22, 2026.
The USDT Freeze Dashboard tracks every Tether freeze proposal in real time across Ethereum and Tron. For enterprise compliance needs, Phalcon Compliance provides automated monitoring, risk scoring, and alerts for sanctioned and frozen address exposure.