OFAC Sanctioned 134 ISIS-K Crypto Addresses in 2026
Treasury added 131 Tron wallets and 3 Monero wallets to the ISIS-K sanctions entry on July 2, 2026, and CoinDesk reported that Tether froze balances on all sanctioned Tron addresses.
On July 2, 2026, the U.S. Treasury’s Office of Foreign Assets Control expanded its ISIS-K sanctions entry to include 134 crypto wallet addresses, consisting of 131 Tron addresses and 3 Monero addresses.<sup class="cite">[1]</sup><sup class="cite">[2]</sup> Public reporting citing Treasury and Chainalysis stated that the Tron wallets had received more than $1.4 million since 2023 and sent more than $880,000, and that Tether froze balances on all 131 Tron addresses after the action.<sup class="cite">[3]</sup><sup class="cite">[4]</sup><sup class="cite">[5]</sup> The principal mechanism was not an exploit or insolvency event but a sanctions-based disruption of an alleged donation network that Chainalysis said had been solicited through ISIS-K’s media apparatus.<sup class="cite">[6]</sup> What is established is the designation, the chain breakdown, the cited flow totals, and the reported freeze action; what remains unresolved is whether any funds were seized, who controlled the addresses, and the full address-level transaction record.
This record relied on the structured brief derived from contemporaneous public reporting by CoinDesk, which attributed key facts to Treasury and Chainalysis.<sup class="cite">[1]</sup><sup class="cite">[3]</sup><sup class="cite">[6]</sup> Verification was limited to claims explicitly contained in that source set: the sanctions action, the number and chain type of addresses, the reported aggregate inflows and outflows, and the reported Tether freeze action.<sup class="cite">[1]</sup><sup class="cite">[2]</sup><sup class="cite">[4]</sup><sup class="cite">[5]</sup> No independent address-level on-chain reconstruction, court filing review, or transaction-hash validation was available in the brief, so attributional and balance-specific claims were treated as reported rather than independently established.
On July 2, 2026, the U.S. Treasury’s Office of Foreign Assets Control added 134 crypto wallet addresses to its ISIS-K sanctions entry, extending a counterterrorism enforcement framework into a discrete set of blockchain identifiers rather than naming only persons or organizations.[1] The sanctioned set comprised 131 Tron addresses and 3 Monero addresses, indicating that the action focused primarily on a Tron-based fundraising and transfer network while also identifying a smaller privacy-coin component.[2] In the present record, the event was therefore a regulatory intervention into alleged illicit financing infrastructure, not a theft, protocol exploit, or exchange failure.[1][2]
The earliest pivotal element documented in the brief was the accumulation of activity across the Tron wallets from 2023 onward. CoinDesk, citing Chainalysis, reported that the Tron addresses later added to the sanctions entry had received more than $1.4 million since 2023.[3] The same report stated that those wallets had sent more than $880,000, suggesting that the addresses were not merely static donation endpoints but part of an active transfer network through which funds moved onward after receipt.[4] The brief did not include transaction hashes, counterparties, or a complete address list, so the exact path by which funds entered and exited the network was not established in the present record, but the aggregate figures indicate sustained use over a multiyear period rather than a single episodic campaign.[3][4]
The attribution mechanism described in public reporting rested on blockchain tracing and intelligence synthesis rather than on a disclosed judicial record. Chainalysis said that ISIS-K used its media arm, al-Azaim Media Foundation, to solicit crypto donations through websites and messaging platforms.[6] Within that framing, the wallet cluster appears to have functioned as an intake and routing layer for donations associated with propaganda or outreach channels rather than as an operational treasury publicly identified through ordinary commercial activity.[6] Because the brief only preserved the reported attribution and not the underlying analytical dossier, the link between each individual address and any specific operator has remained evidentiary by report rather than independently reproducible from the materials provided.[6]
The decisive intervention occurred on July 2, 2026, when OFAC formally added the 134 addresses to the ISIS-K sanctions entry.[1] In practical terms, the designation changed the compliance status of those identifiers for U.S.-linked persons and firms and created a basis for immediate service-provider action where technical control existed.[1] That distinction mattered because the sanctioned set spanned two different technical environments. The 131 Tron addresses were reported to have been frozen by Tether, whereas the 3 Monero addresses were identified in the sanctions action without any corresponding freeze mechanism described in the brief.[2][5] The event therefore illustrated how sanctions enforcement can produce materially different operational outcomes depending on whether assets are held in a token system with issuer-level administrative controls or in an asset class where such controls are not described in the source record.[2][5]
Tether’s reported response was immediate and comprehensive within the Tron subset identified by the source. CoinDesk reported that Tether froze balances on all 131 Tron addresses.[5] That action did not require a protocol-wide halt or validator-level intervention; instead, it relied on the issuer’s ability to block token balances on supported chains.[5] In effect, the sanctions designation and the issuer’s control function combined to convert a list-based regulatory action into an operational constraint on wallet usability for the affected Tron addresses.[1][5] The brief did not state the balances present at the moment of freezing, did not identify whether non-USDT assets were held in those wallets, and did not establish whether any value had already moved beyond the frozen addresses before the action took effect.[3][4][5]
The chain composition of the sanctions set also shaped the likely enforcement profile. Tron accounted for 131 of the 134 addresses in the designation, while Monero accounted for 3.[2] In the source record, only the Tron side was paired with a documented post-designation freeze by a centralized issuer.[5] The Monero addresses were therefore significant less because of their count than because they marked an acknowledged privacy-coin component in the alleged network, one for which the brief offered no equivalent custodial or issuer-side remediation path.[2] As a result, the action appears to have had two layers: a broad legal prohibition covering all listed addresses and a narrower technical immobilization affecting the Tron wallets where Tether’s control was available.[1][2][5]
The documented consequences were regulatory and operational rather than market-wide. Treasury added 134 addresses to the ISIS-K sanctions entry, and CoinDesk reported that Tether froze balances on all 131 sanctioned Tron wallets.[1][5] Public reporting further stated that the Tron wallets had received more than $1.4 million since 2023 and sent more than $880,000, which establishes the scale of the network cited in the designation record.[3][4] The present dossier did not establish any seizure, forfeiture, criminal charge against identified wallet operators, or final disposition of frozen balances.[5] It also did not document broader market dislocation, user losses, or protocol-level outages arising from the action.[1][5]
Discussion
Within the CryptoMortem archive, this incident ranked #51 of 62 by severity, placing it in the 19.4th percentile overall, and #7 of 8 within the regulatory event type. Those rankings indicate that, by documented dollar scale, it sat in the lower tier of catalogued crypto incidents even though its policy significance was distinct. The event did not involve a large exchange collapse or protocol exploit; its importance lay in the interaction between sanctions law, blockchain tracing, and issuer-administered controls. The comparative pattern data are more revealing than the raw severity rank. The brief mapped the incident to the patterns “single_point_of_control” and “centralized_validator_set.” The former had been observed in 36 prior events, including 19 in the past 12 months, indicating that reliance on a concentrated administrative chokepoint has been a recurrent archive theme. The latter had been observed in 8 prior events, with 1 in the past 12 months, making it less common but still established as a recurring structural feature. In this case, the salient chokepoint was not a bridge multisig or exchange wallet but the issuer-level ability to freeze token balances on Tron after designation. Archive context also matters. CryptoMortem had catalogued 64 total events, with 33 in the 12 months preceding this incident. Against that backdrop, the case fits a broader shift in which post-incident analysis increasingly concerns control surfaces embedded in crypto infrastructure rather than only unauthorized extraction of funds. The event therefore contributes less to loss-severity history than to the archive’s record of how centralized administrative powers can be used for rapid enforcement once an address set has been identified.
Comparative analytics
All comparisons computed against the 64-event CryptoMortem archive at time of publication.
- Severity rank across full archive: #51 of 62 (19.4th percentile).
- Severity rank within same event type: #7 of 8.
- Pattern "Single Point Of Control": observed in 36 prior events (19 in the past 12 months).
- Pattern "Centralized Validator Set": observed in 8 prior events (1 in the past 12 months).
- Archive context: 64 events catalogued; 33 in the 12 months preceding this incident.
Limitations
The present record is narrow. As of 2026-07-02, it had not been established in the dossier whether any funds were seized; the source material stated only that Tether froze balances on the 131 Tron wallets.<sup class="cite">[5]</sup> The brief also did not provide a complete list of sanctioned addresses, any transaction hashes, or balance snapshots at the time of designation, which limited independent on-chain reconstruction of the reported flows.<sup class="cite">[3]</sup><sup class="cite">[4]</sup> In addition, the materials did not identify individual operators or controllers of the addresses. Chainalysis’s attribution to ISIS-K fundraising through al-Azaim Media Foundation was reported publicly, but the underlying evidentiary dossier was not included in the record provided here.<sup class="cite">[6]</sup>
Timeline
- Donation activity begins in the cited period
CoinDesk reported that the Tron wallets received more than $1.4 million since 2023.
source → - OFAC sanctions 134 ISIS-K-linked addresses
Treasury added 134 crypto wallet addresses to the ISIS-K sanctions entry, including 131 Tron and 3 Monero addresses.
source → - Tether freezes Tron balances
CoinDesk reported that Tether froze balances on all 131 Tron addresses.
source → - Chainalysis links fundraising to media wing
Chainalysis said ISIS-K used al-Azaim Media Foundation to solicit crypto donations through websites and messaging platforms.
source → - Treasury sanctions 134 ISIS-K crypto wallets, mostly on Tron
OFAC added 134 crypto wallets tied to ISIS-K to existing sanctions, including 131 on Tron and three on Monero. Chainalysis said the Tron wallets received more than $1.4 million since 2023, and Tether froze balances linked to all 131 sanctioned Tron wallets.
source →
Who was involved
- ISIS-Khorasanprojectattacker
- Chainalysisprojectbystander
- Tetherprojectenabler
- U.S. Office of Foreign Assets Controlregulatorregulator
Legal record
- Verdict Date
- null
Structural failures identified
Sources
- US Treasury sanctions over 100 ISIS-K crypto addresses in latest enforcement action, CoinDesk — OFAC sanctions count, chain breakdown, dollar amounts, Tether freeze, and Chainalysis attribution