HuiOne After Sanctions: Nearly $1B Quietly Moved Through CEXs

Key Highlights:

On May 1, 2025, the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) designated Cambodia-based HuiOne Group as a Primary Money Laundering Concern, linking it to cyber heists supporting North Korea and large-scale fraud schemes. Yet HuiOne did not pause. Its infrastructure remained fully active and continued to facilitate deposits, withdrawals and likely laundering activity in real time through a live platform.

How HuiOne moved $1B USDT to CEXs after FinCEN’s action

Following FinCEN’s decision, HuiOne’s on-chain behaviour followed a clear operational sequence rather than a shutdown. According to Global Ledger's investigation, across Tron and Ethereum, wallet activity remained uninterrupted, with irregular balance changes indicating ongoing user deposits and withdrawals. Frequent balance fluctuations after May 1 show that HuiOne’s wallets remained active and under full control, not frozen or abandoned. 

Here’s a short breakdown of how HuiOne continued it’s operation even under sanctions imposure:

• Active wallet behaviour: Wallets attributed to HuiOne on the Tron network showed continuous activity from May 1 to June 17, with dynamic balance changes reflecting real-time flows.

Notably, unlike many entities that temporarily “pause” activity after an OFAC designation, HuiOne showed no such slowdown. Wallet activity remained continuous, and between May 4 and June 17 the group executed four identical 2 million USDT transfers to self-hosted wallets — a pattern consistent with deliberate layering or fund dispersion. 

• Almost 1B USDT were sent to major centralised exchanges: As per the Global Ledger’s counterparty report, HuiOne-linked Ethereum wallets transferred a total of 219 million USDT between May 1 and June 17. 

In general, approximately 942.9 million USDT was transferred from HuiOne wallets to major centralised exchanges on both the Tron and Ethereum networks, suggesting active interfacing with regulated platforms.

Beyond the flows: HuiOne’s new infrastructure stayed fully intact

HuiOne did not rely solely on on-chain activity to stay operational. Instead of slowing down after FinCEN’s action, the group preserved — and even expanded — its off-chain infrastructure. This helped maintain user-facing services, regulatory presence, and independent financial rails.

Key elements of this continued infrastructure include:

Conclusion: key lessons for CEX compliance officers 

The HuiOne case shows how quickly a sanctioned entity can adapt and continue operating in ways that blend into legitimate market activity. Despite FinCEN’s action, HuiOne maintained real-time wallet activity, moved close to $1B USDT into centralised exchanges and routed most of these flows through medium- and low-risk platforms — not the high-risk ones many teams focus on.

Three important signals stand out:

• Illicit flows concentrate where trust is expected. HuiOne’s largest outflows went to regulated exchanges, not to high-risk platforms.
• Static risk labels can create blind spots. More than 40% of Tron-based volume reached “lower-risk” CEXs, showing that sanctions exposure can hide in seemingly safe channels.
• Behavioural patterns matter. Repeated transfers to self-hosted wallets and irregular balance shifts are clearer indicators of laundering schemes.

Risk does not always enter through “high-risk” doors. Exchanges labelled as “safe” may still become conduits for illicit flows, not because of negligence but because of structural blind spots in their infrastructure. To protect your exchange from illicit flows, you need to see early signals before they escalate into operational or regulatory consequences.

At Global Ledger, our focus is to give CEX compliance teams the clarity needed to detect these patterns long before they become “dark spots”. With blockchain visualization technology, smart AML risk scoring, real-time monitoring, and complete counterparty insights, you can identify sanctioned flows, legacy exposure and indirect risk routes — even when they’re hidden behind “safe-looking” labels.