The main question after the 2025 publication was simple: would Tether close the window? The answer splits into four steps.
The window got shorter. The median gap fell from 3h 10m to 1h 46m on Ethereum (−44%) and from 1h 57m to 1h 30m on Tron (−23%).
An urgent mode appeared. In several post-period months the median collapses by orders of magnitude — 0 minutes (same block) on Ethereum in March 2026, 1.6 minutes on Tron the same month. Across the post-period, 16.3% of Ethereum and 17.3% of Tron blacklistings executed in under 2 minutes. This is not one or two episodes — it is a parallel, sustained workflow, plausibly law-enforcement-coordinated takedowns with signatures prepared off-chain and landed within one or two blocks. On Ethereum in March 2026, some 90 blacklistings executed in the same block as the submit — a pattern essentially unexplainable on a 3-of-6 multisig without off-chain coordination.
The standard mode remained. When Tether applies that coordination, the window shrinks to seconds; when it doesn’t, the window stays open for the standard hours. These are two different workflows in one system, and roughly 85% of blacklistings still go through the slow one. The falling median is partly a mix-shift — more pre-coordinated takedowns pulling the median down — rather than the routine workflow physically speeding up. The tails did not close either: on Tron the mean window nearly doubled during batch-heavy months (full p90/p99/max tables and the batch explanations are in
Appendix B).
So the risk is not closed. Architecturally nothing changed: 6 signers / threshold 3 on Ethereum, 3 / 2 on Tron, not a single OwnerAddition, OwnerRemoval, or event over 24 months. The attack surface — a public minutes-to-hours before the freeze — is intact.
Whether window length even matters to the attacker is the next section’s question, and the answer is uncomfortable: the biggest thefts happened in the shortest windows.