Log in
For business
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
AML certification
How industry players can get up-to-date knowledge and professional certification.
AML certification
How industry players can get up-to-date knowledge and professional certification.
Comprehensive transaction analytics that helps to build graphs and trace funds.
Graph
Travel rule
(soon)
For personal use
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Crypto recovery
Services are focused on tracking
and recovering crypto assets.
Сrypto recovery
Services are focused on tracking
and recovery crypto assets.
Docs and reports
All types of documents related
to cryptocurrency.
Docs and reports
All types of documents related
to cryptocurrency.
Portfolio tracker
Information about all assets and risk assessment in one place.
Portfolio tracker
Information about all assets and risk assessment in one place.
AML checks
Сhecking wallets and transactions
for illicit funds.
AML checks
Сhecking wallets and transactions
for illicit funds.
ES
FR
中文
Вход
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
Graph
Визуализация перемещения активов
и связей между кошельками.
Graph
Визуализация перемещения активов
и связей между кошельками.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
Для себя
Для Бизнеса
Travel rule
(Cкоро)
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Отчёты
Все типы документов связанные
с криптовалютой.
Отчёты
Все типы документов связанные
с криптовалютой.
PRIVATE
Government
Financial institutions
Exchanges
PSP's
Wallets
Gambling platforms
Investment platforms
Stablecoin issuers
Investigators
Regulators
Law enforcement
Для бизнеса
Госсектор
Финансовые организации
Биржи
Платежные провайдеры
Кошельки
Игровые платформы
Инвестиционные платформы
Эмитенты стейблкоинов
Расследователи
Регуляторы
Правоохранительные органы
ES
FR
中文
13.07.2026

Tether Blacklisting One Year Later: More Freezes, Faster Response, Same Public Window

A 24-month on-chain re-measurement of how USDT freezes work — and of the gap that still lets money escape them.

Version: 9 May 2026. Research window: 1 May 2024 — 9 May 2026 (24 months). All raw CSVs and scripts are in the open repository on GitHub. Detailed statistical tables, breakdowns of specific cases, and methodology verification are collected in Appendices A-H at the end of the full report, available for download at the link.

Over the past year, Tether has become one of the most visible enforcement tools in crypto: thousands of addresses blacklisted, more than $ 1B USDT destroyed across two years, and large-scale cooperation with law enforcement. But the core freeze mechanism still exposes a public window between the first multisig submission and the final execution. In that window, automated actors moved $ 127.6M USDT out of targeted addresses in clean cases alone.

Headline numbers:
  1. $1.08B USDT destroyed via over 24 months;
  2. $822M of that destroyed in the last year alone — roughly 3× the prior year;
  3. $127.6M of clean in-window outflow in the last year — ×6.1 versus $20.9M a year earlier;
  4. multisig architecture unchanged: 3-of-6 on Ethereum, 2-of-3 on Tron, zero owner or threshold changes in 24 months.

Table of content:

  1. Executive summary
  2. What Tether blacklisting is and why it matters
  3. Scale: blacklisting became mass enforcement
  4. The window: faster, but still public
  5. Exploitation: bots became industrial
  6. Lifecycle: where targeted USDT actually goes
  7. Atomic destroy: Tether’s own new pattern
  8. What this means
  9. Glossary

Executive summary

1. Tether blacklisting became a mass enforcement channel. Over 24 months Tether triggered the blacklisting of 7,562 addresses and now processes hundreds of addresses and tens-to-hundreds of millions of dollars every month, mostly at the request of law enforcement (DOJ, OFAC, Secret Service, FBI and counterparts in 23+ jurisdictions, institutionalized through the T3 Financial Crime Unit).

2. Destroyed USDT volume tripled. $822M burned in the last year versus ~$255M the year before — ×3.2 on Ethereum, ×3.3 on Tron.

3. The median window got shorter. The typical gap fell from 3h 10m to 1h 46m on Ethereum (−44%) and from 1h 57m to 1h 30m on Tron (−23%). In urgent, law-enforcement-coordinated takedowns Tether can now compress the window to seconds.

4. The window still exists by design. Both multisigs saw zero owner or threshold changes in 24 months; every speedup is behavioral, not contractual. About 85% of blacklistings still run through the slow public window.

5. Bots industrialized exploitation. Clean in-window interception reached $127.6M across 107 blacklisting events — ×6.1 year over year. This is not a new technique; it is the industrialization of window exploitation that already existed before our 2025 publication.

6. The largest losses now happen even in short windows. The single biggest interception — $37.30M on Tron — fit inside a 5.7-minute window; the biggest on Ethereum — $27.12M — inside 14 minutes. Speeding up the median does not stop fast actors.

7. The only durable fix is eliminating the public pending window. Interceptors are technically invariant to window length: as long as at least one block separates the first public submission from the final signature, the gap is exploitable.

What Tether blacklisting is and why it matters

Tether, as the issuer of USDT, reserved the right in its Terms of Service to freeze tokens at specific addresses — a right confirmed in public communications back in 2017–2018, when the corresponding methods first appeared in the contract. Mechanically it works through three owner-only calls on the USDT contract:
  • freezes an address — its USDT can no longer move;
  • unfreezes it;
  • burns the USDT held by an already-frozen address (typically followed, in seizure cases, by reissuance to a law-enforcement wallet).
The “owner” of the USDT contract is a multisig wallet — 3-of-6 signers on Ethereum, 2-of-3 on Tron — and that is where the vulnerability lives. (A detailed overview of the legal nature of stablecoin freezes is in BitOK’s piece “Willkie Farr & Gallagher: the legal practice of stablecoin freezes”.) The first signature to freeze an address ( submitTransaction ) appears in a public block; the freeze only takes effect when the last required signature lands.

Between those two moments the target address is still fully spendable, and anyone watching the chain can see exactly which address is about to be frozen. We documented this window in BitOK’s May 2025 research, estimating $30M+ had already escaped through it.
The vulnerability in one picture: between Tether’s first signature (Request posted) and the last (Freeze active), the target address stays spendable. An interceptor that moves the USDT out anywhere inside this window — sometimes within seconds, more often with minutes to spare — beats the freeze.

Why it matters now more than then: blacklisting USDT has stopped being a rare technical operation. The overwhelming majority of 2025–2026 freezes happen at the request of law enforcement or through the T3 Financial Crime Unit (Tether + Tron Foundation + TRM Labs, launched August 2024). A few markers of scale from the period:
  • January 2025 — $182M USDT frozen across 5 Tron wallets at the request of US law enforcement;
  • June 2025 — the DOJ filed a $225.3M civil forfeiture in a pig-butchering scheme and formally recognized Tether’s assistance;
  • October 2025 — T3 FCU passed $300M+ in frozen assets across 23;
  • February 2026 — Turkish authorities froze $544M USDT tied to the Şahin network’s illegal gambling;
  • April 2026 — Operation “Economic Fury”: $344M frozen on 2 Tron wallets of the Central Bank of Iran, in parallel with an OFAC SDN listing;
  • September 2025 — Tether announced real-time public disclosure of every blacklisting.
A freeze instrument of this standing inherits the obligations of one: its weakest mechanism becomes everyone’s problem. (The full takedown timeline and Tether’s policy statements are in Appendix A.)

Scale: blacklisting became mass enforcement

First, the system scaled. Over the 24 months observed, Tether triggered the blacklisting of 7,562 addresses and destroyed $1.08 billion USDT via million of it in the last year.
The dynamics differ by chain. On Ethereum the number of blacklistings barely changed, but the volume of destroyed USDT grew 3.2× — per blacklisting, Tether destroys noticeably more money. On Tron both the count (×2.4) and the burn (×3.3) grew. One composition note: more than a third of post-period Tron blacklistings target addresses holding under $100 — forward-defensive cluster sweeps that freeze whole groups of related addresses preemptively. Filtering those out, the real financial load on Tron grew ×2.1; all risk analysis below uses only the non-empty subset (full breakdown in Appendix C).

External summaries confirm the order of magnitude: T3 FCU passed $300M+ frozen across 23 jurisdictions by late October 2025; BlockSec independently counted $1.26B frozen across 4,163 addresses in calendar 2025 alone; Reuters puts the all-time figure at $4.2B frozen with Tether involved in 1,800+ investigations.

Across 2025–2026, Tether probably became one of the largest publicly observable on-chain enforcement instruments among stablecoin issuers.

The window: faster, but still public

The main question after the 2025 publication was simple: would Tether close the window? The answer splits into four steps.

The window got shorter. The median gap fell from 3h 10m to 1h 46m on Ethereum (−44%) and from 1h 57m to 1h 30m on Tron (−23%).

An urgent mode appeared. In several post-period months the median collapses by orders of magnitude — 0 minutes (same block) on Ethereum in March 2026, 1.6 minutes on Tron the same month. Across the post-period, 16.3% of Ethereum and 17.3% of Tron blacklistings executed in under 2 minutes. This is not one or two episodes — it is a parallel, sustained workflow, plausibly law-enforcement-coordinated takedowns with signatures prepared off-chain and landed within one or two blocks. On Ethereum in March 2026, some 90 blacklistings executed in the same block as the submit — a pattern essentially unexplainable on a 3-of-6 multisig without off-chain coordination.

The standard mode remained. When Tether applies that coordination, the window shrinks to seconds; when it doesn’t, the window stays open for the standard hours. These are two different workflows in one system, and roughly 85% of blacklistings still go through the slow one. The falling median is partly a mix-shift — more pre-coordinated takedowns pulling the median down — rather than the routine workflow physically speeding up. The tails did not close either: on Tron the mean window nearly doubled during batch-heavy months (full p90/p99/max tables and the batch explanations are in Appendix B).

So the risk is not closed. Architecturally nothing changed: 6 signers / threshold 3 on Ethereum, 3 / 2 on Tron, not a single OwnerAddition, OwnerRemoval, or event over 24 months. The attack surface — a public minutes-to-hours before the freeze — is intact.

Whether window length even matters to the attacker is the next section’s question, and the answer is uncomfortable: the biggest thefts happened in the shortest windows.

Exploitation: bots became industrial

Over the post-period, interceptors — actors that pull USDT out of a target address between Tether’s first signature and the last — extracted $127.6M in clean cases alone: $52.4M on Ethereum (14 blacklisting events) and $75.3M on Tron (93 events). A year earlier the same measurement gave $20.9M across 62 events. That is ×6.1 in dollars on the strictest definition we use.

“Clean” is the strictest bucket in our five-bucket classification: the interceptor withdrew ≥95% of the original balance and the address held ≤5% of it by the time the freeze executed — the address was definitively emptied, not merely active. (The full clean / racing / partial / weak / noise scheme and per-bucket volumes are in Appendix D.)
Tron interceptions are mostly manual-compatible: 78% had ≥10 minutes of reaction time, so no sub-second MEV is needed. Σ clean $13.4M → $75.3M (×5.6). On Ethereum the typical lead over the final signature dropped 46 → 10 min (×4.5), but the post-period is outlier-driven: the top-1 case ($27.12M) is 51%, the top-7 are 89%.

Three things stand out in the data.
  • This is industrialization, not invention. Interception existed before our publication ($20.9M pre-period is not zero); the post-period turned it into infrastructure. On Tron it is an already-working pipeline that grew ×5.6 in dollars and ×1.9 in case count, with the median lead over the final signature tightening from 145 to 86 minutes. On Ethereum the ×7.0 growth is outlier-driven — the single biggest case ($27.12M) is 51% of the post-period total — but the sub-minute reaction zone, empty a year ago, now holds a whole series of cases.

  • Not all of it is bots. On Tron, 78% of clean interceptions had ≥10 minutes of reaction time between the public submit and the outflow — the manual-compatible zone, where a Telegram alert plus a pre-built transaction is enough. Sub-minute, MEV-class reactions account for only 2% of Tron cases but 36% of Ethereum cases (including a series with 24–96-second leads over the final signature — a signature of automation no human can match). One vulnerability, two distinct exploitation styles — and any fix has to close both.

  • Short windows no longer protect anything. The largest interception of the entire corpus — $37.30M on Tron, 5 June 2025 — happened inside a 5.7-minute window: the bot beat the final signature by about 120 seconds, and within 4 minutes pushed the whole amount through the SunSwap V3 router into TRX. After such a swap, is structurally powerless — the asset is no longer USDT and cannot be burned. The largest Ethereum case ($27.12M, 26 July 2025) fit a 14-minute window. The exit layer has matured in parallel with the entry: pre-configured bridge channels (Chainflip, Near Intents), DEX-swap templates, even routes into perp accounts — the modern interceptor doesn’t just outrun the multisig, it moves into assets to which is inapplicable in principle. (Full case chains, destination clustering, bot anatomy, and the attribution discussion are in Appendix E; a forthcoming companion piece, “Racing Tether: three escape-automation patterns,” details the escape mechanics.)

Lifecycle: where targeted USDT actually goes

To see the system as a whole, take every address Tether aimed to blacklist, sum the balances at the moment of submit, and trace where each dollar ended up. Six destinations cover the space:
  1. still frozen — sitting on the blacklist, untouched;
  2. destroyed later — burned via the normal workflow, days-to-weeks after the freeze;
  3. destroyed atomically — burned in the same block as the freeze (Section 6);
  4. unfrozen — Tether later called removeBlackList ;
  5. intercepted in window (clean) — pulled out before the final signature;
  6. other in-window outflow — borderline cases and housekeeping traffic.
On Tron, in-window interception rose from 1.2% to 3.9% of targeted USDT ($75.3M); the 86.9% “still frozen” share is inflated by fresh LE operations not yet burned (recency). On Ethereum, ~1 in 5 targeted dollars did not stay frozen after publication: $52.4M intercepted (13%) plus $31.9M atomic-destroyed (8%), while “unfrozen” collapsed 18.8% → 1.2%.
The headline reading: on Ethereum, roughly one in five targeted dollars did not stay quietly frozen after our publication — $52.4M was yanked by interceptors (13.0%), $31.9M Tether destroyed atomically (7.9%), and “unfrozen” collapsed from 18.8% to 1.2% (Tether has practically stopped returning addresses to circulation, in line with BlockSec’s independent 3.6% removal-rate estimate for 2025).

Two caveats keep the table honest. The Tron “86.9% still frozen” figure is mostly a recency artifact: the last months of the post-period are packed with large LE operations ($461M in January 2026, $457M in April 2026) that haven’t yet reached the destroy phase. Controlling for blacklisting age, the post-period destroy rate is actually higher than pre (42.3% vs 31.8% in the comparable 12–18-month bucket) — Tether did not slow down burning (the age-bucket table is in Appendix G).

And one above-stack flow sits outside the decomposition entirely: over two years, $65.7M USDT landed on 463 addresses after they were already publicly blacklisted and was burned at the next destroy — money senders transferred, with their own hands, to addresses on a public blacklist. $36.7M of it on Tron arrived even after Tether’s September 2025 real-time disclosure announcement: transparency helps, but it does not solve the blind-sender problem by itself.

Atomic destroy: Tether’s own new pattern

While interceptors industrialized their side of the window, Tether’s workflow evolved too. The most visible change: and bundled into a single block — freeze and burn executed atomically, instead of the normal days-to-weeks gap between two separate multisig chains.

This is specifically a 2025 practice. Scanning all of USDT-Ethereum’s history (from the November 2017 deploy, ~20.4 million blocks): 2017–2024 produced just 4 atomic pairs for
$1.78M in total; 2025 alone produced 7 pairs for $32.0M. On Tron the pattern is essentially unused ($0.034M across 2 pairs) — with a 2-of-3 multisig and a shorter window, burning after the fact is safe enough.

Behind the $32M, however, sit two different phenomena. Seven of the eight Ethereum cases are small dust cleanup — $1.4k to $100k leftovers on blacklisted clusters, closed in one pass instead of two. Nearly all the value is one case: $31.77M on 8 November 2025, targeting the contract of the GAIB protocol, one day after GAIB opened its withdrawal portal. The picture is structurally consistent with a coordinated seizure — the contract’s inflow profile was institutional, and a plausible scenario is that specific depositors’ funds were flagged and seized in place — but it is not publicly confirmed; neither GAIB nor Tether has explained the episode, and an alternative (contract compromise or laundering use) cannot be excluded. Merging the dust cases and GAIB into a combined “$32M of LE coordination” would overstate it; the defensible narrative is the GAIB case specifically (full case table and chronology in Appendix F).

What atomic destroy demonstrates is capability: when Tether wants the freeze and the burn to be simultaneous and windowless, it can do it. It applies that tool selectively — the large public T3 takedowns of the period still went through the regular non-atomic workflow.

What this means

Tether improved operational speed, but did not remove the public gap. As long as the default workflow exposes a pending window, fast actors can prepare infrastructure around it.

The year’s data does not look like a race Tether is losing; it looks like a structural equilibrium. Tether has demonstrated it can compress the window to seconds in urgent series — and even to zero, atomically, when it chooses.

The interceptors, in turn, have demonstrated that window length is irrelevant to them: $37.30M left in a 5.7-minute window, and the modern exit layer converts USDT into unburnable assets within minutes. Both sides got faster; the gap between them stayed.

Important fact: even after Tron launched the real-time blacklist update, users managed to send $36.7 million to already blocked addresses. Therefore, our advice from 2025 remains the same: front-runners do not care that much about the window duration — it is enough for them to have at least one network block between the first public request and the final signature.
There are still three real solutions to this problem:
  1. Conduct the addBlackList operation instantly (atomically), collecting all signatures off-chain and sending them in a single ready transaction.
  2. Coordinate signatures non-publicly so that they end up in the same block without appearing in the public domain beforehand (via Flashbots bundles on Ethereum or a direct channel to super representatives on Tron).
  3. Create a separate emergency smart contract with a pre-prepared package of permissions for emergency cases.
So far, none of these options have been implemented. If Tether officially launches such a "fast lane" instead of manually performing accelerated blocks every time — that will be the key change in the system, which is truly worth watching.

Glossary

addBlackList / removeBlackList

Owner-only functions on the USDT smart contract. addBlackList(addr) freezes an address — its USDT can no longer be moved; removeBlackList(addr) lifts the freeze. Only the contract owner (Tether's multisig wallet) can call them.

destroyBlackFunds

Burns — permanently destroys — the USDT held by an already-frozen address. In seizure cases the destroyed amount is typically reissued to a law-enforcement wallet. Requires the address to be blacklisted first.

submit → execute window

The gap between the first multisig signature to freeze an address (submitTransaction, visible in a public block) and the final signature that actually executes the freeze. Inside this window the target address is still fully spendable — this is the vulnerability the research measures.

threshold confirm

The signature that reaches the required count — the 3rd on Ethereum, the 2nd on Tron — and triggers execution of the freeze in the same transaction.

multisig (Gnosis-classic)

The owner wallet of the USDT contract: 3 required signatures out of 6 signers on Ethereum, 2 of 3 on Tron. Neither changed in the 24 months observed.

interceptor (vs wallet drainer)

Any actor that pulls USDT out of a target address during the submit → execute window — from a fully automated MEV bot to a person with a Telegram alert and a pre-built transaction. Not to be confused with a "wallet drainer" in the phishing sense (fake sites, malicious approvals) — that is an unrelated phenomenon.

MEV

Maximal extractable value techniques — here, inserting a transfer into a block ahead of the freeze transaction. Sub-minute, MEV-class reactions account for a minority of interceptions: 2% on Tron, 36% on Ethereum.

atomic destroy

addBlackList and destroyBlackFunds bundled into a single block: the freeze and the burn execute together, leaving no gap between them. A Tether-side operational pattern that emerged in 2025.

clean / racing / partial / weak / noise

The five interception buckets by how fully an address was emptied. Only clean cases — ≥95% of the balance withdrawn and ≤5% remaining at execution — enter the headline figures.

bal_sub / bal_exe / out_share / bal_remain

Balance metrics per case: balance at submit, balance at execute, out_share = outflow ÷ bal_sub (what share was withdrawn), bal_remain = bal_exe ÷ bal_sub (what share remained when the freeze landed).

submitTransaction

The first call in the multisig cycle — it posts a proposed freeze and emits the first signature, opening the public window. Visible in a block before the freeze executes.

recency (recency effect / caveat)

A measurement artifact: freezes from the last few months haven't yet had time to go through the multi-week destroyBlackFunds cycle, so the "still frozen" share looks inflated until those cases mature. Controlling for blacklisting age corrects it.

cluster sweep (forward-defensive)

Blacklisting a whole group of related addresses at once — including empty ones — to prevent reactivation, rather than targeting money already present. Drives most of the Tron growth in empty-address freezes.

reissuance

After a seizure burn (destroyBlackFunds), Tether mints an equivalent amount of fresh USDT to a law-enforcement-controlled wallet, so the seized value is recovered rather than destroyed outright.

Flashbots bundle / super-representatives

Private transaction-ordering channels — Flashbots on Ethereum, super-representatives (block producers) on Tron — through which a freeze could be landed in one block without prior public visibility.

Gnosis-classic multisig

The specific multisig contract design both owner wallets use, in which submitTransaction emits both the proposal and the submitter's first signature, and the final signature executes the action in the same transaction.

MEV / mempool

MEV (maximal extractable value) is profit from controlling transaction order in a block; the mempool is the public pool of pending transactions. An interceptor watching the mempool can place a transfer ahead of the freeze.

civil forfeiture / SDN / pig-butchering

Enforcement context terms: civil forfeiture is the legal process by which authorities seize criminal proceeds; an SDN listing is OFAC's sanctions designation; "pig-butchering" is the industry name for long-con investment-fraud schemes that generate much of the frozen volume.

T3 FCU

The T3 Financial Crime Unit — a joint enforcement project of Tether, the Tron Foundation, and TRM Labs, launched August 2024; the main institutional channel for law-enforcement freezes in 2025–2026.
Support
Get it

To inquire about our plans, click here

Try BitOK for free