Tracing IRGC Crypto Activity Around the Hormuz Toll System

The Strait has been effectively closed to most commercial shipping since Feb 28, 2026. Kpler counted 214 crossings in March (~6–7/day, 94% below baseline). Maersk, MSC, CMA CGM suspended; 150+ vessels stranded at peak. Selective passage is granted to China, India, Pakistan, Turkey, and Saudi Arabia-linked vessels via IRGC Navy escort and VHF passcode; US/Israel-linked ships denied.

Why this matters for the data below: every PortWatch transit is a candidate toll payer — small daily counts are the baseline under closure, not a suspicious anomaly. TRM Labs estimates $20M/day from oil tankers at ~$0.50–1 per barrel (~$2M per VLCC) and notes the toll infrastructure "deploys the same architecture" as the Zedcex/Zedxion IRGC pipeline — which is the starting point of this investigation.

Sources: TRM Labs · HormuzStraitMonitor · HormuzTracker · hormuz-crossing-tracker. Unresolved conflict: dailycoinpost.com claims Bitcoin, not USDT. Weighted toward TRM.

Caveats: Tron processes ~$50B USDT daily, so coincidences are easy to find. PortWatch and Windward disagree on some days. No vessel-level transit timestamps. A professional investigation would have exchange cooperation and maritime intelligence we don't.

1. Solid $7M from an OFAC-frozen IRGC wallet. TCdLhRdH received $7,000,000 from TFcLDs8S on Feb 9, 2026. TFcLDs8S was later Tether-frozen for IRGC/Houthi links. Places TCdLhRdH inside IRGC crypto infrastructure; doesn't prove Hormuz tolls specifically.
2. Solid IRGC pre-positions ahead of Tether freezes. Three freeze waves (Jun 2025, Jan 2026, Mar 2026). Each time money had already moved to new wallets before the freeze landed. Near-zero operational gap implies anticipation.
3. Suggestive March 25 single-ship day alignment. 1 vessel per PortWatch (Windward: 5). A $400K→$500K transfer chain ran through our candidate addresses that day. tx. $500K transfers are common on Tron.
4. Suggestive April 1 surge on first formal toll day. ~$4.3M flowed through TMesyn in a mixer-like pattern on the day Iran's "Strait of Hormuz Management Plan" took effect. TMesyn not confirmed IRGC-controlled.
5. Suggestive Iran's own fleet: no matching activity. Mar 20: NORTH STAR, KYLO, DEEPBLUE (OFAC-sanctioned, Iranian crude) transited with zero matches on 31 watched addresses. Consistent with Iran not charging its own fleet. We only watch 31 addresses.
6. Speculative $1 "receipt" pattern on THwNrbB5. Every outbound transfer from THwNrbB5 is paired with a $1 transfer to TLntW9Z5. Looks automated. $1 test sends are common on Tron for many reasons.
7. Speculative A "toll infrastructure" topology. The traced addresses look like a collection network: front-line collectors, hub, consolidation, pipeline back to IRGC-linked wallets. Fits the toll story; also fits any other IRGC financial operation.

⚠ Ship data is a snapshot, not live (no CORS from MarineTraffic). On-chain data refreshes on demand from Tronscan/TronGrid.

Vessels where on-chain transfers matched transit data. Positions approximate. Click a vessel for tx details.

⚠ "Pattern fit" is narrative fit, not statistical likelihood — many of these could be coincidence. Vessel attributions prefer arrivals (first day present in the Gulf zone per hormuz-crossing-tracker) over continuously-present ships, because a tanker that just entered is a more plausible fresh toll candidate.

On-chain transfers tracked across our watched addresses, Mar 5 – Apr 9:

March (pre-codification)	~$5.2M
April 1–9 (formal toll system)	~$10.4M
Total tracked	~$15.6M

Lower bound only. Yuan payments, undiscovered addresses, and cash are invisible to us. TRM Labs estimates $20M/day from oil tankers alone at current toll rates; IRGC moved ~$3B through crypto in 2025.

Role labels are our interpretation, not confirmed attribution.

Top exit destinations:

Address	Received	Source	Behavior
TQZf9xA3...ME6S	$13.5M+ (Apr 9 alone)	via TMesyn → TLPCfx4h	High volume pass-through. Sends $9M-$12M single txs to TBm6H3AJ.... Could be exchange deposit, OTC desk, or IRGC-controlled wallet — unknown.
TQRs6Z9T...BAPc	$8.6M	via TMesyn → TA23JZxs	Pass-through. 8 counterparties. Receives $3M+ batches.
TFSUiBeb...HGWZ	$8.0M	via TMesyn → TK6B2fw3	10+ counterparties, $1M batches. Pattern consistent with an exchange deposit, but not confirmed.
TGdp64tP...NvtW	$600K	from TPTahdRc (Mar 25)	Received the $600K outflow on the reported single-ship day. Pass-through.
TEU553vX...Whav	$450K	from THwNrbB5 (Apr 9)	3 transfers on Apr 9 ($200K+$200K+$50K).

TMesyn on April 1 is the clearest exit funnel: $4.3M in, immediately split into $1.8M + $1.1M + $850K + $810K to four exit wallets, forwarded within hours to the addresses above. Whether the final destination is an exchange, OTC, or IRGC treasury is unknown — further tracing would need exchange cooperation or LE data.

Date	Event	IRGC response
Jun 2025	Tether freezes $37M across IRGC/Houthi wallets, including TCA9vmjs (Zedcex #7)	Operations shift to TFcLDs8S and new intermediaries. $21M flows through TFcLDs8S over the next 6 months.
Jan 30, 2026	OFAC designates Zedcex/Zedxion, lists 7 Tron addresses. All 8 addresses get Tether-blacklisted.	Money already moved. TCdLhRdH received $7M on Feb 9. TJeCqcTc, TLpS7Brc, and TPTahdRc become the new operational layer.
Mar 2026	Tether freezes TFcLDs8S ($6.76M). All hop-0 addresses now dead.	Toll infrastructure already 2 hops away. THwNrbB5 (live operator) and TMesyn (mixer) handle day-to-day toll collection. $1 receipt system added for automation.

Each wave: funds pre-positioned in new wallets before the freeze lands. Operational disruption is near-zero — they anticipate enforcement actions.

Network trace (3 hops from OFAC wallets):

1. Hop 0: 8 Tron addresses OFAC-designated Jan 2026 (Zedcex/Zedxion, IRGC-linked). All Tether-frozen. Full history pulled from Tronscan.
2. Hop 1: 10 direct counterparties that moved millions with the OFAC wallets. 3 frozen, 7 active.
3. Hop 2: frequent counterparties of hop 1 — TLpS7Brc (hub), TXzbsqgM (funder), TBy6TYno (aggregator) + consolidation points. Cross-referenced with PortWatch transits. Role labels are hypotheses.
4. Hop 3: active operator THwNrbB5 ($200K+ daily, $1 receipt automation), mixer TMesyn ($5M+ on first toll day), and $7M splitter TB4G37jq.

Vessel sources: IMF PortWatch (daily counts) · hormuz-crossing-tracker (GFW satellite AIS) · Windward dailies · UANI Tanker Tracker · news reports (CNBC, Al Jazeera, Bloomberg) · MarineTraffic tile snapshots.

Every claim here can be independently checked from public data:

• Addresses: tronscan.org/#/address/{addr} — full TRC20 history. Every address in the dashboard is clickable.
• OFAC designations: Elliptic writeup or OFAC SDN search (Zedcex, Jan 30 2026).
• Transit counts: IMF PortWatch API (JSON, no auth).
• Tether freeze status: usdtbanlist.com.
• $1 receipt pattern: TLntW9Z5 — dozens of $1 inflows from THwNrbB5.
• Mar 25 alignment: TLpS7Brc shows $400K in + $500K out on the 1-ship day.

When the splitter wallet TB4G37jq received $6,999,900 from TCdLhRdH on Feb 11, 2026, it didn't just forward it. Before every large outbound transfer it first sent a $100 test, waited a few minutes, then sent the real amount. At 14:11:24 UTC: $100 to TPTahdRc. At 14:15:42 UTC: $1,249,900 to the same address. The probe-then-commit pattern repeats across its fan-out — a careful operator verifying the address before committing real money.

Calibration caveat: this is not unique to sanctioned-money infrastructure. Exchanges, OTC desks, and careful individuals on Tron all do this — address poisoning (vanity-prefix spam attacks) is rampant here, so the paranoia is warranted. The pattern identifies a professional human-in-the-loop operator, not which operator.