A familiar laundering signature lit up the Tron network this week, and on-chain investigator ZachXBT was first to map it. According to a security alert published on his Telegram Investigations channel, a single Tron address received 120.2 million USDT on June 11 and immediately began splitting the funds across centralized exchanges, instant-swap services, cross-chain bridges, and the privacy coin Monero (XMR), the textbook choreography of an entity trying to put distance between itself and the money’s origin.
The highly coordinated asset-rotation sequence was cut short early the following morning after stablecoin issuer Tether executed a definitive smart-contract freeze, blacklisting over $72 million remaining in a primary connected wallet.
The money trail
ZachXBT’s breakdown shows the 120.2 million USDT moving out almost as fast as it arrived. More than $12 million was routed to KuCoin deposit addresses, while around $8 million was pushed through various instant exchanges — services that swap assets quickly with minimal friction and, often, minimal identity checks.
A further $8 million-plus was bridged off Tron entirely, converted into Bitcoin and Ethereum via Near Intents, a cross-chain settlement mechanism that lets users move value between networks without a conventional bridge.
Each structural hop was executed simultaneously, forcing investigators to cross-reference order books and ledger distributions across entirely separate blockchain layers.
The Monero connection
The most consequential leg was the privacy play. The entity placed sizeable Monero buy orders, and the demand was heavy enough to move the market: XMR climbed from roughly $330 to around $420, a jump of over 27% that pushed the token toward the $424–425 resistance that capped its May rally.
On-chain analysts view this market behavior as a distinct fingerprint. Shifting transparent stablecoins into cryptographically shielded assets like Monero effectively turns the transaction history dark once the tokens settle on-chain. However, the heavy slippage and price spikes caused by converting tens of millions of dollars in real time often act as an unintended beacon for blockchain security watchdogs.
Interestingly, the structural choreography of this operation identical to a massive $282 million laundering case exposed by ZachXBT in January. In that exploit, a victim’s hardware-wallet was drained of BTC and Litecoin before the capital was aggressively funneled into Monero via low-friction instant swap layers, driving $XMR$ up nearly 80% to historical highs.
Tether pulls the kill switch
The compliance and law enforcement response to the June 11 flow was nearly instantaneous. On-chain monitoring alerts confirmed that Tether added the connected Tron address T8zrPEsStbZAUx2SBhD4oHz8UW3FX9Ak9W to its global blacklist. The smart-contract lock was executed within a 30-second window of the address receiving a 72,030,295.55 USDT transfer.
The speed is a reminder of how much control sits behind the world’s largest stablecoin. Freezing USDT is not magic but a deliberate smart-contract function: Tether can add any address to a blacklist that blocks it from sending or receiving tokens, typically in coordination with investigators and law enforcement.
Plus, following the implementation of the federal GENIUS Act alongside global compliance regimes, stablecoin issuers are operating under stringent AML/CFT mandates to proactively lock funds tied to clear illicit movement, sanctions evasion, or exploit laundering.
While ZachXBT’s public data clearly outlines the destination channels of the 120.2 million USDT, the original exploit source of the funds remains undisclosed as of writing. However, Tether’s immediate $72 million freeze indicates that the underlying capital has already triggered active legal enforcement requests.
The incident underscores the dual nature of modern crypto infrastructure: while public ledgers allow a single independent investigator to decode a $120 million money laundering operation in a single evening, the core liquidity layer remains deeply centralized, capable of freezing millions of dollars at the click of a button.
Also Read: Raydium Exploit Update: GoPlus Reveals How Hacker Stole $1.34M
