The largest Tether freeze of 2025

BitOK team detected a typical pattern used by this group to conceal the origin of stolen cryptocurrency.

The transaction flow is consistent with a standard ‘accumulate, layer, integrate' laundering pattern, representing one of the most prevalent money laundering methodologies seen in crypto markets today.

From the accumulation wallets, funds were routed to intermediate "transit" addresses, used primarily for layering and further obscuring the trail.

Example: 0x5dd1a12a9f9aaf19ed277c9fe177924e3b2cd344 received funds from attacker-controlled addresses and then forwarded them to additional wallets, forming a network of short-lived, low-purpose addresses — a key transaction monitoring red flag.

To complicate the identification of the ultimate beneficial owner (UBO), portions of the funds were moved through secondary and tertiary addresses, sometimes in circular patterns:

This creates additional layers of on-chain "noise", designed to hinder blockchain analytics, and is typical of complex layering schemes.

At the final stage, USDT was sent to deposit addresses of major centralized exchanges, where the perpetrators could cash out, convert, or further redistribute the funds.

Our analysis identified transfers to exchange-controlled wallets associated with Binance, Kraken, HTX (Huobi), KuCoin, OKX, WhiteBIT.

These platforms represent key off-ramp points, where robust AML/KYC controls and suspicious activity reporting (SAR/STR) mechanisms are essential.

In this specific case, partial flows of stolen funds were successfully traced to WhiteBIT, Binance, HTX, among others. The pattern of alternating "accumulation → transit → exchange" phases closely mirrors known fraud and laundering typologies already documented in relation to organized criminal groups.

The underlying predicate offense appears consistent with a pseudo-investment fraud often overlapping with so-called “pig butchering” romance/investment scams:

1. Social engineering and misrepresentation.
Fraudsters present themselves as “professional traders” or “portfolio managers” and persuade victims to transfer significant amounts of cryptocurrency for alleged high-yield trading strategies.

2. Fabricated performance and false reporting.
Over a period of time, victims are shown fake trading dashboards, screenshots, or even staged videos that simulate successful trades and growing balances.

3. Exit or secondary extortion.
Ultimately, the perpetrators either:

Blockchain security experts note a sharp increase in reported cases of this typology, making it a key fraud risk for compliance teams to monitor.

Although the recent freeze of approximately $ 45 million in USDT is a significant enforcement milestone, it represents only a small fraction of the overall volume associated with fraudulent activity in the virtual asset ecosystem. In the other investigation conducted by our analysts (referenced in the transaction flow diagram Illustration 6), we identified an estimated $ 150 million in illicit proceeds. Of this amount, roughly $ 83 million was traced through the mapped wallet cluster, and only about $ 24 million was ultimately frozen. This discrepancy underscores a broader reality: the true scale of misappropriated funds is substantially higher, and a considerable portion cannot be intercepted in time.

Effectively mitigating these threats requires tightly coordinated action between industry participants, blockchain analytics providers, and law enforcement agencies. Since the launch of USDT in 2014, Tether has frozen in excess of $ 1.5 billion in assets linked to suspected illicit activity. Yet, despite these measures, the prevalence and sophistication of crypto-related fraud schemes continue to grow. A notable example is the November 2023 case, in which Tether voluntarily froze approximately $ 225 million in USDT connected to a large-scale international "romance" investment-phishing operation employing the so-called "pig butchering" tactic in Southeast Asia.

The October 31 enforcement action dealt with an extensive scam network, disrupting fraudulent flows and constraining the perpetrators' liquidity. However, the campaign against such schemes is ongoing. The wider industry is intensifying efforts to identify, trace, and disrupt fraud typologies at an earlier stage, enhance preventive and detection controls, and deepen operational cooperation with law enforcement to more effectively combat cryptocurrency-enabled financial crime.