Log in
For business
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
AML certification
How industry players can get up-to-date knowledge and professional certification.
AML certification
How industry players can get up-to-date knowledge and professional certification.
Graph
Comprehensive transaction analytics that helps to build graphs and trace funds.
Graph
Comprehensive transaction analytics that helps to build graphs and trace funds.
Travel rule
(soon)
For personal use
AML checks
AML checks
Portfolio tracker
Portfolio tracker
Docs and reports
Docs and reports
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Getting money back
Services are focused on tracking
and recovering crypto assets.
Getting money back
Services are focused on tracking
and recovering crypto assets.
Events
(soon)
ES
FR
中文
Вход
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
Graph
Визуализация перемещения активов
и связей между кошельками.
Graph
Визуализация перемещения активов
и связей между кошельками.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
Для себя
Для Бизнеса
Travel rule
(Cкоро)
AML-проверки
AML-проверки
Портфолио трекер
Портфолио трекер
Отчёты
Отчёты
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
Мероприятия
(скоро)
ES
FR
中文

How Tether’s Blacklisting Mechanism Allowed Offenders to Retain $50 Million?

USDT, Tether’s flagship stablecoin, has long set the benchmark in its market. As regulators worldwide tighten oversight of cryptocurrencies — and stablecoins in particular — Tether not only maintains strict compliance with all legal requirements but also partners with authorities to prevent illicit use of its tokens.

Yet are Tether’s internal controls truly infallible? We scrutinized the company’s fund-blocking protocols and the technical mechanisms behind token freezes — and uncovered vulnerabilities that could enable malicious actors to bypass these safeguards.

What is Tether and Its Tokens?

Originally registered in the British Virgin Islands, Tether is now legally domiciled in El Salvador. As a result, it isn’t directly subject to U.S. or EU legislation — yet the company voluntarily adheres to international laws and cooperates with foreign regulators.

Under Salvadoran law, USDT is formally classified as a stablecoin. This definition mirrors the EU’s framework, which defines stablecoins as tokens fully backed by fiat currency or a basket of assets.

As of March 31, 2025, Tether’s balance sheet stood as follows:
  1. Total Assets: $149,274,515,988.00 USD
  2. Total Liabilities: $143,682,673,588.00 USD
  3. Net Equity: $5,591,842,400.00 USD
Meanwhile, USDT issuance currently totals about 151.36 billion tokens (151,359,797,434.88 USDT), and the past month’s transfer volume reached approximately 3.43 trillion USDT (3,425,512,430,531 USDT).

Today, the vast majority of USDT transactions occur on Tron and Ethereum. Although Tether has deployed smart contracts on additional networks — such as Solana, TON, Avalanche, Celo, Cosmos, and more (see the full list of supported blockchains here) — their transfer volumes and active user counts remain far lower than those on Tron and Ethereum.

While blockchain transparency might imply unrestricted USDT transfers, the reality is more nuanced. Every Tether smart contract embeds an on-chain blacklist — a registry of addresses barred from transacting. Only Tether’s administrators can add addresses to this list, effectively freezing any token movements to or from those accounts.

The process of address blocking and asset freezing is detailed in Tether’s internal policies, specifically in the Terms of Service (the actual Terms of Service is available here) and Law Enforcement Requests Policy (the actual Law Enforcement Requests Policy is available here). According to sections 8.15 and 16 of the Terms of Service, Tether reserves the right to suspend or terminate access to services, freeze any Tether tokens or user accounts if required by law or if Tether independently deems it necessary (such as for user violations or attempts at illegal activities). In other words, when users purchase or use USDT, they agree that in certain circumstances their tokens may be frozen or confiscated. Tether explicitly states its right to freeze client tokens in sections dealing with the legal consequences of violations. In specific cases, Tether can not only freeze the respective amount of USDT but also annul them and recover the fiat backing (essentially confiscating the tokens).

Each blocking is legally formalized individually but always involves an external lawful requirement and an internal Tether decision, followed by technical implementation.

Reasons for Blocking Funds by Tether

The main reasons for fund blocking include:
  1. Sanctions imposed by various jurisdictions
  2. Official requests from law enforcement and regulatory bodies
  3. Voluntary preventive measures

Sanctions by the US and Other Jurisdictions

Under US legislation, grounds for blocking include:
  • OFAC sanctions
  • FinCEN requirements
  • US AML/CTF laws (Bank Secrecy Act, PATRIOT Act, etc.)
Though Tether is not a US company, it states, "Tether respects the OFAC SDN list and is committed to working to ensure sanction addresses are frozen promptly."

In 2022, after sanctions against Tornado Cash, the company refrained from unilateral blocking of related addresses until receiving official instructions but affirmed readiness, stating, "Tether does consider OFAC Sanctions as part of its world-class compliance program." By late 2023, Tether adopted a proactive policy, voluntarily blocking any new addresses added to the OFAC SDN sanctions list without awaiting individual instructions. This is due to increased attention from US regulators (OFAC) and the necessity to prevent sanctions evasion through stablecoins.

Aside from OFAC SDN sanctions lists, Tether considers AML/CFT legislation requirements. In the US, the Financial Crimes Enforcement Network (FinCEN) handles this. Under US law, any assets investigated by FinCEN (linked to money laundering, drug trafficking, terrorism financing, etc.) can be frozen. If a USDT address is involved in a US investigation (by FinCEN, FBI, etc.), the company risks violating the Bank Secrecy Act and other federal laws if it fails to act.

EU legislation may also serve as basis for blocking, specifically sanction lists or AML directive requirements (AMLD). Although Tether is not registered in the EU, it declares global compliance (within its "world-class compliance program") and effectively complies with European sanctions and AML/CFT laws alongside US laws. EU Directives on AML (AMLD 4−6) require cryptocurrency industry controls, including transaction monitoring and suspicious asset freezing.

Official Requests from Law Enforcement and Regulatory Bodies

In addition to the Terms of Service, Tether publishes a Law Enforcement Request Policy — a guide for law enforcement interactions. Tether notes it voluntarily provides information and assists authorities, but mandatory measures (freeze) require an "appropriate legal process," i.e., legally formalized requests.
For Tether to freeze addresses and tokens, appropriate legal grounds are needed. According to the Law Enforcement Requests Policy, the company responds only to official requests from US law enforcement and regulatory bodies but accepts documents from any country.

These can include:

  1. subpoena (court summons requiring information or actions)
  2. production order (court order to freeze assets or disclose information)
  3. warrant (order, e.g., to arrest/confiscate specific crypto in a criminal case)
After executing the block, Tether usually informs the requesting authority. The Law Enforcement Requests Policy indicates Tether reserves the right to inform authorities of any user and transaction details during investigations. Consequently, executed blocks typically include providing balances of frozen tokens, related transactions, IP logs (if available), and other requested data. For transparency, the block itself is visible on the blockchain, but reasoning is typically disclosed only to competent authorities. Occasionally, Tether issues press releases or public comments when it does not interfere with investigations.

Equivalent instruments exist outside the US (e.g., EU state court orders, European asset confiscation warrants). Upon receiving a request, Tether verifies the requester’s authority (requests must come from official agency domains, citing legal grounds or court rulings).

In some cases, Tether responds to less formal requests — such as an email notification from the government authority assuring that an official warrant is pending. Such emergency requests occur when accounts belong to criminals at risk of immediate asset withdrawal. Generally, Tether fulfills voluntary law enforcement requests if they can be verified, with formal documents provided subsequently.

However, Tether does not directly freeze tokens at the request of individual users (e.g., fraud victims). Private individuals cannot directly request another wallet’s blocking without a corresponding law enforcement or judicial request. Users must first contact the police, who submit requests through courts or authorities to Tether.

Voluntary Preventive Measures

In recent years, Tether has increasingly been implementing voluntary blocking measures beyond direct legal requirements. As previously mentioned, since December 2023, a proactive policy has been introduced to block addresses listed on sanction lists (e.g., updates of OFAC’s SDN list). This means the company does not always wait for a formal request but initiates blocking on its own initiative to protect the system, especially if the address is obviously linked to criminal activities (e.g., hacker wallets, darknet markets, scammers, etc.).

Voluntary measures also include freezing funds stolen during major hacks at the request of victims or analytical companies. For example, Tether cooperates with blockchain analytics companies (Chainalysis, SlowMist, BitOK, etc.) and can voluntarily freeze tokens as soon as it receives credible information about fraud. In July 2024, according to MistTrack, $ 870,000 USDT was frozen across three addresses linked to phishing and theft — a proactive measure based on monitoring without any public indication of a direct government order.

However, Tether acts cautiously: in 2022, the company openly stated that it would not unilaterally freeze suspicious addresses without a clear law enforcement request to avoid disrupting covert investigations: "Even if Tether recognizes suspicious activities on such an address, completing a freeze without the verified instruction of law enforcement and other government agencies might interfere with ongoing and sophisticated law enforcement investigations". Law enforcement agencies themselves sometimes request not to hasten the blocking of specific addresses to track criminal networks and Tether complies with these instructions.

Thus, Tether’s voluntary policy has evolved: previously (up to 2022), the company blocked primarily upon requests, but by 2023−2024, it began proactively initiating blocks (especially concerning sanctioned and widely recognized criminal wallets) to protect the ecosystem and reputation and to cooperate with the global cybersecurity community.

Can Funds Be Unblocked?

The detailed procedure for unblocking funds is not described anywhere publicly, but according to Tether tokens Recovery Policy (the actual Tether tokens Recovery Policy is available here), "any legal issues related to Law Enforcement requests/thefts/hacks/scams/similar should be reported to the Tether Information requests team." Thus, the entire procedure is conducted according to Tether’s internal regulations, which are not disclosed.

There certainly are examples of successful unblocking. According to public blockchain data, out of 5131 blocked wallets in Tron and Ethereum, a total of 330 wallets have been removed from the blacklist. This accounts for just 6% of blocked wallets, a small number and the exact unblocking procedure is not specified anywhere.

What is the Volume and Frequency of Tether's Blocking Now?

At the time of writing, Tether's blacklist includes 5131 addresses (2816 in Tron and 2314 in Ethereum), with a total frozen amount of $3.027 billion ($1.371 billion in Tron and $1.656 billion in Ethereum).

The chart below illustrates how both the volume of blocked funds and the number of blocked wallets have increased recently.

Tether’s blacklisting trends.

Source data: Tron and Ethereum.

The chart clearly shows a noticeable increase in asset freezes subsequent to Tether's implementation of voluntary blocking measures in December 2023.

How is the Blocking Mechanism Implemented in Tether’s Smart Contracts?

As mentioned earlier, Tether primarily operates on Tron and Ethereum networks, with USDT as its primary token. All smart contracts generally share similar design (with minor exceptions), so we will study smart contracts specifically on these two networks.

Let’s examine the source code of these smart contracts:

  1. TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t (Tron) — view full source code on Tronscan.
  2. 0xdac17f958d2ee523a2206206994597c13d831ec7 (Ethereum) — view full source code on Etherscan.

The smart contract implements the blocking mechanism via three key functions:

  1. addBlackList (address). After calling this function, all token operations on the specified address are immediately disabled.
  2. removeBlackList (address). After calling this function, the address is immediately removed from the blacklist and can resume token transfers.
  3. destroyBlackFunds (address). After calling this function all funds held by the blacklisted address are immediately burned.
Only the owner defined in the smart contract can call these functions. The management of the smart contract contains many interesting details.

Inspecting the smart contracts reveals that the owner on the Tron network is TBPxhVAsuzoFnKyXtc1o2UySEyd

PHgATto, while on Ethereum it is 0xC6CDE7C39eB2f0F0095F41570af

89eFC2C1Ea828.

The owner of the USDT smart contract on Tron.

View on Tronscan

The owner of the USDT smart contract on Ethereum.

View on Etherscan

By looking up these addresses on any blockchain explorer, you’ll discover they’re not simple cold wallets but multisig smart contracts.

Tether’s administrators govern token contracts via a multisig scheme. But how exactly does multisignature work in a multisig wallet?

A multisig wallet is a cryptocurrency wallet that requires multiple key signatures to perform operations — whether managing funds or interacting with smart contracts. In other words, a transaction only goes through when at least m out of n designated owners approve it.

The process for operations requiring confirmations involves two steps:

  1. Constructing the transaction that the wallet will execute.
  2. Collecting the required confirmations and then submitting the transaction for on-chain execution.

A key drawback of multisig wallets is the delay between proposing a fully parameterized transaction and its actual execution on the blockchain. During this window, anyone monitoring pending transactions can inspect — and potentially exploit — the transaction details before it’s finalized.

Collecting Blocks through Tether’s Multisig Wallet

First, let’s fetch all transactions associated with these wallet smart contracts:

All Tether’s multisig wallet transactions.

Source data: Tron and Ethereum.

For fetched Tron transactions, we observe the following smart-contract calls:

  • submitTransaction (3604 calls)
  • confirmTransaction (3513 calls)
  • revokeConfirmation (6 calls)
  • executeTransaction (3 calls)

On Ethereum, the pattern shifts:

  • submitTransaction (4247 calls)
  • confirmTransaction (7864 calls)
The reason confirmTransaction calls almost double submitTransaction on Ethereum is that the Tron wallet enforces a 2-of-N multisig scheme, whereas the Ethereum wallet requires 3-of-N confirmations per transaction.

Next, we’ll focus exclusively on the submitTransaction calls, since this function determines which transaction is created upon confirmation — and that’s where all future blacklist additions originate.

The function code is as follows:


/// @dev Allows an owner to submit and confirm a transaction.
/// @param destination Transaction target address.
/// @param value Transaction ether value.
/// @param data Transaction data payload.
/// @return Returns transaction ID.
function submitTransaction(address destination, uint value, bytes data)
public returns (uint transactionId)
{
transactionId = addTransaction(destination, value, data);
confirmTransaction(transactionId);
}

This function takes three parameters:

  • destination. The address of the target smart contract to be called.
  • value. The amount in the native token (TRX or ETH) that should be sent to the target smart contract.
  • data. Binary data with which the target smart contract will be called.

Example of calling the submitTransaction function.

View on Tronscan

On success, the function returns a new transaction identifier and emits two events simultaneously:

  • Submission(transactionId). Emitted when the transaction is submitted.
  • Confirmation(msg.sender, transactionId). Emitted as the first confirmation of the transaction.

Example of emitted events.

View on Tronscan

Now we need to:

  1. Gather all submitTransaction calls and decode their destination and data parameters.
  2. Filter those calls to only the ones invoking addBlackList on the USDT token contracts, extracting the blocked addresses.
  3. Determine the resulting transaction ID for each of those calls.

All submitTransaction calls have been extracted for analysis:

All submitTransaction calls.

Source data: Tron and Ethereum.

We detect calls to addBlackList by looking for the function selector 0ecb93c0 at the start of the data field — this four-byte sequence uniquely identifies addBlackList on both EVM and TVM chains.

The remainder of the data payload encodes the address argument for addBlackList, which we decode.

Finally, from the transaction receipt logs we read the Submission (uint256) event to obtain the newly created transaction ID.

This produces a table summarizing each address-blacklisting initiation:

All submit Transaction calls.

Source data: Tron and Ethereum.

An address is officially blacklisted only after the transaction has received the required number of confirmTransaction calls. Since submitTransaction emits one confirmation automatically, Tron needs one additional confirmation (for a total of two), whereas Ethereum requires two more (for a total of three).

The table below lists only the final confirmTransaction calls — those that satisfy the required confirmation threshold — for each transaction, with each decoded transactionId recorded.

All final confirmTransaction calls.

Source data: Tron and Ethereum.

As the final step of this analysis, we match each submitTransaction call with its corresponding final confirmTransaction call by transaction ID, and compile the results into one table:

Matched submitTransaction and final confirmTransaction calls.

Source data: Tron and Ethereum.

We now have both the initiation and completion records for each blacklist addition, giving us precise start and end timestamps for the entire process.

Analyzing the Impact of the Vulnerability and Volume of «Saved» Funds

First, let’s calculate the average time delay between submitting an address for blacklisting and completing the process.

On Tron, the overall average delay is 37 hours, with a median of 2 hours 47 minutes. Over the past year, the average delay fell to 4 hours 57 minutes, with the median at 2 hours. However, these delays remain substantial! Several cases over the past year stretched to 24 hours, 40 hours, and even 151 hours.

On Ethereum, the issue is even more pronounced: the average delay is 151 hours, with a median of 5 hours and 26 minutes.

The longest observed delay on Tron was 58 days, while on Ethereum it soared to 678 days—nearly two years.

Average blacklisting delay.

Source data: Tron and Ethereum.

Finally, let’s compute the key metrics—deposits, withdrawals, and frozen balances—for blocked wallets during the interval between blacklisting initiation and completion:

Deposits, withdrawals, and frozen balances during the blacklisting delay.

Source data: Tron and Ethereum.

Remarkably, some wallets managed to withdraw funds even during the brief blacklisting window—occasionally totaling millions of USDT. By computing net outflows (withdrawals minus deposits) over the interval between blacklisting initiation and completion, we identified 181 Tron wallets and 76 Ethereum wallets with positive net outflows, amounting to $ 34.5 million and $ 21.1 million, respectively.

However, it would be naive to assume that everyone who withdrew funds knew they were about to be blacklisted. To flag potential insiders, we apply a heuristic:

  • any wallet ending the blacklisting window with under 20 USDT remaining or with a balance below 5 % of its net outflows.

Under these criteria:

  • 80 potential insiders on Tron withdrew $18.1 million.
  • 28 potential insiders on Ethereum withdrew $13.0 million.

Let’s visualize the monthly trends for potential insider activity:

Potential insider activity.

Source data: Tron and Ethereum.

Notably, both the number of wallets “saving” funds and the total volume have surged in recent months, indicating that more participants are exploiting this vulnerability.

With such prolonged confirmation delays, savvy wallet owners can anticipate impending blacklists and migrate assets to fresh, “clean” addresses. Moreover, this workflow could be fully automated—potentially protecting funds in up to 99% of cases.

Conclusion

From the standpoint of today’s AML/CFT requirements and the wider regulation of crypto-asset markets, Tether’s compliance framework is largely exemplary. The firm shows a strong commitment to legal obligations, responds quickly to requests from competent authorities, actively supports their investigations, and proactively identifies and freezes wallets linked to illicit activity.

Despite these strengths, a few procedural shortcomings remain. Chief among them are the lack of clarity surrounding the release of frozen funds, the practice of pre-emptive wallet freezes, and the company’s minimal public disclosure when explaining its AML/CFT actions.

A separate concern is the way addresses are added to Tether’s blacklist. The current approach gives bad actors advance notice of an impending freeze, allowing them to move assets to wallets that have not yet been blocked. By our estimates, this vulnerability has been exploited more than 100 times, enabling offenders to retain over US $ 30 million.

Tether should therefore review its internal blacklisting procedures and eliminate any possibility that information about an imminent freeze appears on a public blockchain before the measure is actually carried out.

Support
Get it

To inquire about our plans, click here

Try BitOK for free