
A name change can defeat a simple string match. It cannot, by itself, sever ownership, customers, infrastructure, or the movement of funds. For compliance teams, the real question is therefore not whether the new name appears on a list. It is whether the new entity has inherited the old entity's business and risk.
The recent Huione/H-Pay case shows why this distinction matters. On June 23, 2026, the U.S. Financial Crimes Enforcement Network (FinCEN) proposed amending its existing special measure against Huione Group to expressly cover H-Pay Service PLC and other successor entities. FinCEN said Huione had attempted to evade the measure through restructuring, rebranding, and the transfer of business operations.
One legal point must be made at the outset: a FinCEN Section 311 special measure is not the same as an Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List designation. It does not automatically create the same asset-blocking obligations. The applicable rule, jurisdiction, and the institution's own role must be established before any transaction is blocked or rejected.
This article uses “sanctioned entity” in the broader operational sense of an entity subject to restrictive financial measures. It does not treat FinCEN and OFAC authorities as interchangeable.
What the Huione/H-Pay case establishes
In May 2025, FinCEN identified Cambodia-based Huione Group as a financial institution of primary money laundering concern. According to FinCEN, Huione Group laundered at least $4 billion in illicit proceeds between August 2021 and January 2025. FinCEN separately identified at least $37 million linked to North Korean cyber heists, $36 million from virtual-asset investment scams, and $300 million from other cyber scams. These subcategories should not be read as a complete breakdown of the $4 billion total.
The 2026 proposal focuses on continuity. FinCEN's position is not merely that H-Pay has a similar name or operates in the same market. The proposal alleges that Huione shifted services and business functions to H-Pay and other entities after the original measure. That is the central compliance problem: a newly named entity may inherit the operational substance of an older high-risk entity even when exact-name screening returns no match.
The available evidence should be assessed in four layers.

1. Legal and control continuity
Start with facts that can establish who ultimately controls the entity:
- shareholders and ultimate beneficial owners;
- directors, senior managers, and authorized signatories;
- registration addresses, licenses, and corporate filings;
- contractual control, nominee arrangements, and related-party agreements.
A shared director or address is relevant, but rarely conclusive on its own. The strongest case comes from several independent facts pointing to the same control relationship.
2. Business transfer
The next question is whether the new entity has taken over the old entity's operating substance:
- customer accounts or balances were migrated;
- merchants, employees, or agents moved together;
- products, pricing, or service processes remained materially unchanged;
- customers were directed from the old service to the new one;
- settlement or treasury functions continued under a different name.
This layer matters because a successor relationship is usually visible as a sequence of events, not a single matching field.
3. Technical continuity
Technical infrastructure can reveal continuity that corporate records do not:
- reused domains, DNS records, hosting providers, or TLS certificates;
- shared APIs, application signatures, analytics identifiers, or code artifacts;
- common deployment accounts, server configurations, or administrative contacts;
- redirects from an old website or application to a new service.
Technical overlap must also be interpreted carefully. Two businesses can share a cloud provider or software vendor without sharing control. The probative value rises when the infrastructure is proprietary, administrative, or reused during the migration period.
4. On-chain fund and control continuity
Blockchain data can help test whether operational continuity is reflected in the movement and management of funds. Useful signals include:
- large balance transfers from legacy wallets to newly activated wallets;
- repeated sweeps occurring shortly before or after a shutdown, rebrand, or regulatory action;
- common gas-funding wallets, deployers, multisignature signers, or treasury counterparties;
- synchronized changes in transaction timing, denominations, and settlement routes;
- old wallets going dormant as new wallets begin performing the same function.
No single signal proves common control. A deposit to the same exchange, for example, may reflect nothing more than use of a popular service. Evidence becomes stronger when timing, value, control signals, and operational behavior align.
How to test a successor relationship on-chain
An investigation should begin with an auditable seed set, not an address selected because its behavior looks suspicious. Every seed should carry its source, publication date, chain, and attribution confidence.

Step 1: Validate the source of every seed
Seeds can be graded by evidentiary strength:
| Grade | Source | What it can support |
|---|---|---|
| A | Regulator, law-enforcement agency, or court filing | An official risk anchor for related-address investigation |
| B | Entity website, published financial report, or verifiable signed message | Direct attribution to the entity at the time of publication |
| C | Internal KYC records, customer transactions, or case materials | Use within the authorized investigation, with a preserved evidence trail |
| D | Open-source claim without independently verifiable attribution | A lead only; not a basis for an entity conclusion |
FinCEN's Huione and H-Pay materials do not publish a list of blockchain wallet addresses. Huione Group, however, disclosed cryptocurrency addresses in its own quarterly financial reports. The following TRON addresses appeared in Huione USD's 2024 Q3 report under “Huione” or “Hui One”:
TLMdLwLeaesPyowTMEEZYhUHunGHbT9arU
TMqDrZa5kEebg5wi3W3wusVZ6ZF2w6JczH
TQuFSvpct2FeBrKjRh8NDqtGAci2Z15RSaThese are company-disclosed legacy Huione anchors. They are not addresses designated by FinCEN, and they should not be relabeled as H-Pay wallets without additional evidence. Their value is narrower but still important: they provide a reproducible starting point for investigating whether funds, counterparties, or control patterns migrated after the old entity came under pressure.
Step 2: Define the migration window
Create a timeline around events that could trigger a transfer of operations:
- publication of a regulatory or enforcement action;
- termination of banking, exchange, or stablecoin access;
- announcement of a shutdown, restructuring, or rebrand;
- domain, application, or customer-service migration.
A practical first pass is 30 to 90 days before and after each event. The window should then be expanded only when the transaction history supports it. This prevents an investigation from turning into an unbounded graph search.
Step 3: Trace balance migration, not merely exposure
Direct and indirect exposure answer a screening question: did funds touch a known address? Successor analysis asks something harder: did the economic function of a wallet move elsewhere?
Look for:
- a material share of the legacy wallet's balance moving to a new cluster;
- near-total sweeps rather than ordinary customer payments;
- the new cluster becoming active as the legacy cluster winds down;
- a similar asset mix, transaction cadence, and settlement behavior;
- repeated movement through short-lived intermediary wallets.
The amount and timing should be reported precisely. “Funds were transferred” is weak. “Within 18 hours of the public shutdown notice, 92% of the wallet's USDT balance was swept through two newly activated addresses” is testable and reviewable.
Step 4: Compare control signals
Fund flows alone can be ambiguous. Investigators should look for evidence that the same operator may control both sides of the migration:
- the same wallet funds transaction fees for old and new addresses;
- the same deployer creates related contracts;
- multisignature membership overlaps;
- transaction execution follows the same automated schedule;
- the same unusual approval, batching, or sweeping pattern persists.
Control signals are especially useful when a migration uses multiple intermediary addresses to obscure a direct transfer.
Step 5: Test common counterparties
Common exchanges, payment processors, OTC desks, merchants, and stablecoin routes may show business continuity. But popularity matters: two wallets using a large exchange is weak evidence. Two wallets settling with the same small group of merchant addresses, in the same denominations and time bands, may be much more informative.
Counterparty overlap should therefore be weighted by specificity, recurrence, and timing.
Step 6: Grade the conclusion
A defensible report separates fact from inference:
- Confirmed facts: transactions, timestamps, amounts, contract calls, published records, and verified ownership statements.
- High-confidence inference: several independent indicators support the same explanation, with plausible alternatives tested and documented.
- Unresolved questions: the evidence is incomplete, contradictory, or dependent on an unverified attribution.
Avoid writing “same entity” when the evidence only establishes “direct exposure,” and avoid writing “money laundering” when the evidence only establishes an unusual movement pattern.
What a KYT provider should do after detecting the risk
Detection is only useful if it produces an auditable next action.

For a KYT provider, the output should separate three different dimensions:
- Entity risk: whether an address is attributed to a named entity and how reliable that attribution is.
- Behavioral risk: whether the transaction pattern shows rapid layering, peel chains, pass-through activity, circular flows, or other anomalies.
- Legal risk: whether a specific rule creates a prohibition, reporting obligation, enhanced-review requirement, or asset-blocking duty.
Each alert should preserve the underlying transaction hashes, timestamps, assets, amounts, hop distance, label source, and confidence. A label non-match should also be retained: it establishes what the system knew at the time and allows historical cases to be rerun when attribution data changes.
A mature workflow should support:
- automatic re-screening when entity labels or rules are updated;
- a clear explanation of which facts caused the alert;
- submission and review of counter-evidence;
- correction of mistaken attribution without deleting the audit trail;
- different thresholds for direct exposure, indirect exposure, and behavioral anomaly.
What an institution should do with the alert
The institution receiving a KYT alert should not let the risk score make the legal decision.
First, determine the applicable obligation. Is the entity subject to an asset freeze, a prohibition on certain transactions, a special-measure restriction, enhanced due diligence, or a reporting requirement? The answer may vary by jurisdiction, product, customer type, and the institution's role in the transaction.
Second, reconcile the on-chain evidence with the institution's own records:
- identify the customer and beneficial owner;
- establish the source of funds and purpose of the transaction;
- map internal ledger entries to transaction hashes;
- review prior account activity and related accounts;
- request supporting documents where appropriate.
Third, take a proportionate business action based on both the evidence and the governing rule. Depending on the facts, this could mean releasing the transaction, applying limits, restricting the account, rejecting activity, filing a report, or freezing assets where legally required.
Finally, define an exit condition and a reassessment date. A temporary restriction should not become permanent simply because nobody revisited the case. Conversely, a previously cleared case should be reopened if a new official attribution connects the address to a successor entity.
The practical lesson
Screening asks whether a name or address is already known. Successor-entity analysis asks whether control, business, infrastructure, and funds continued under a different identity.
Names can change overnight. Evidence chains usually do not. The compliance task is to preserve those chains, test alternative explanations, and state the conclusion at the level the evidence actually supports.
Data and scope note
This article lists three legacy TRON addresses disclosed by Huione in its 2024 Q3 financial report. It does not present a completed empirical tracing of their subsequent fund flows. No conclusion is made here that any address belongs to H-Pay, or that an on-chain succession relationship between Huione and H-Pay has been proven. Such a conclusion would require reproducible transaction analysis and corroborating control or business evidence.
References
- FinCEN Proposes to Sever H-Pay Service PLC and Other Huione Group Successor Entities From the U.S. Financial System
- FinCEN Notice of Proposed Rulemaking: H-Pay Service PLC and Other Huione Group Successor Entities (PDF)
- FinCEN Finds Cambodia-Based Huione Group to Be of Primary Money Laundering Concern
- OFAC FAQ 401: The 50 Percent Rule
- FATF Guidance on Beneficial Ownership of Legal Persons
- ICIJ: How ICIJ Traced Huione Group Funds to Major Crypto Exchanges
- Huione USD 2024 Q3 Financial Report (PDF)
ChainTrust Labs
Learn more about ChainTrust KYT, on-chain risk monitoring, and investigation products: https://chaintrustlabs.com/
