and recovering crypto assets.
and recovering crypto assets.
и связей между кошельками.
и связей между кошельками.
How Tether’s Blacklisting Mechanism Allowed Offenders to Retain $50 Million?
Yet are Tether’s internal controls truly infallible? We scrutinized the company’s fund-blocking protocols and the technical mechanisms behind token freezes — and uncovered vulnerabilities that could enable malicious actors to bypass these safeguards.
What is Tether and Its Tokens?
What is Tether and Its Tokens?
Under Salvadoran law, USDT is formally classified as a stablecoin. This definition mirrors the EU’s framework, which defines stablecoins as tokens fully backed by fiat currency or a basket of assets.
As of March 31, 2025, Tether’s balance sheet stood as follows:
- Total Assets: $149,274,515,988.00 USD
- Total Liabilities: $143,682,673,588.00 USD
- Net Equity: $5,591,842,400.00 USD
Today, the vast majority of USDT transactions occur on Tron and Ethereum. Although Tether has deployed smart contracts on additional networks — such as Solana, TON, Avalanche, Celo, Cosmos, and more (see the full list of supported blockchains here) — their transfer volumes and active user counts remain far lower than those on Tron and Ethereum.
While blockchain transparency might imply unrestricted USDT transfers, the reality is more nuanced. Every Tether smart contract embeds an on-chain blacklist — a registry of addresses barred from transacting. Only Tether’s administrators can add addresses to this list, effectively freezing any token movements to or from those accounts.
The process of address blocking and asset freezing is detailed in Tether’s internal policies, specifically in the Terms of Service (the actual Terms of Service is available here) and Law Enforcement Requests Policy (the actual Law Enforcement Requests Policy is available here). According to sections 8.15 and 16 of the Terms of Service, Tether reserves the right to suspend or terminate access to services, freeze any Tether tokens or user accounts if required by law or if Tether independently deems it necessary (such as for user violations or attempts at illegal activities). In other words, when users purchase or use USDT, they agree that in certain circumstances their tokens may be frozen or confiscated. Tether explicitly states its right to freeze client tokens in sections dealing with the legal consequences of violations. In specific cases, Tether can not only freeze the respective amount of USDT but also annul them and recover the fiat backing (essentially confiscating the tokens).
Each blocking is legally formalized individually but always involves an external lawful requirement and an internal Tether decision, followed by technical implementation.
Reasons for Blocking Funds by Tether
Reasons for Blocking Funds by Tether
- Sanctions imposed by various jurisdictions
- Official requests from law enforcement and regulatory bodies
- Voluntary preventive measures
Sanctions by the US and Other Jurisdictions
- OFAC sanctions
- FinCEN requirements
- US AML/CTF laws (Bank Secrecy Act, PATRIOT Act, etc.)
In 2022, after sanctions against Tornado Cash, the company refrained from unilateral blocking of related addresses until receiving official instructions but affirmed readiness, stating, "Tether does consider OFAC Sanctions as part of its world-class compliance program." By late 2023, Tether adopted a proactive policy, voluntarily blocking any new addresses added to the OFAC SDN sanctions list without awaiting individual instructions. This is due to increased attention from US regulators (OFAC) and the necessity to prevent sanctions evasion through stablecoins.
Aside from OFAC SDN sanctions lists, Tether considers AML/CFT legislation requirements. In the US, the Financial Crimes Enforcement Network (FinCEN) handles this. Under US law, any assets investigated by FinCEN (linked to money laundering, drug trafficking, terrorism financing, etc.) can be frozen. If a USDT address is involved in a US investigation (by FinCEN, FBI, etc.), the company risks violating the Bank Secrecy Act and other federal laws if it fails to act.
EU legislation may also serve as basis for blocking, specifically sanction lists or AML directive requirements (AMLD). Although Tether is not registered in the EU, it declares global compliance (within its "world-class compliance program") and effectively complies with European sanctions and AML/CFT laws alongside US laws. EU Directives on AML (AMLD 4−6) require cryptocurrency industry controls, including transaction monitoring and suspicious asset freezing.
Official Requests from Law Enforcement and Regulatory Bodies
Official Requests from Law Enforcement and Regulatory Bodies
For Tether to freeze addresses and tokens, appropriate legal grounds are needed. According to the Law Enforcement Requests Policy, the company responds only to official requests from US law enforcement and regulatory bodies but accepts documents from any country.
These can include:
- subpoena (court summons requiring information or actions)
- production order (court order to freeze assets or disclose information)
- warrant (order, e.g., to arrest/confiscate specific crypto in a criminal case)
Equivalent instruments exist outside the US (e.g., EU state court orders, European asset confiscation warrants). Upon receiving a request, Tether verifies the requester’s authority (requests must come from official agency domains, citing legal grounds or court rulings).
In some cases, Tether responds to less formal requests — such as an email notification from the government authority assuring that an official warrant is pending. Such emergency requests occur when accounts belong to criminals at risk of immediate asset withdrawal. Generally, Tether fulfills voluntary law enforcement requests if they can be verified, with formal documents provided subsequently.
However, Tether does not directly freeze tokens at the request of individual users (e.g., fraud victims). Private individuals cannot directly request another wallet’s blocking without a corresponding law enforcement or judicial request. Users must first contact the police, who submit requests through courts or authorities to Tether.
Voluntary Preventive Measures
Voluntary Preventive Measures
Voluntary measures also include freezing funds stolen during major hacks at the request of victims or analytical companies. For example, Tether cooperates with blockchain analytics companies (Chainalysis, SlowMist, BitOK, etc.) and can voluntarily freeze tokens as soon as it receives credible information about fraud. In July 2024, according to MistTrack, $ 870,000 USDT was frozen across three addresses linked to phishing and theft — a proactive measure based on monitoring without any public indication of a direct government order.
However, Tether acts cautiously: in 2022, the company openly stated that it would not unilaterally freeze suspicious addresses without a clear law enforcement request to avoid disrupting covert investigations: "Even if Tether recognizes suspicious activities on such an address, completing a freeze without the verified instruction of law enforcement and other government agencies might interfere with ongoing and sophisticated law enforcement investigations". Law enforcement agencies themselves sometimes request not to hasten the blocking of specific addresses to track criminal networks and Tether complies with these instructions.
Thus, Tether’s voluntary policy has evolved: previously (up to 2022), the company blocked primarily upon requests, but by 2023−2024, it began proactively initiating blocks (especially concerning sanctioned and widely recognized criminal wallets) to protect the ecosystem and reputation and to cooperate with the global cybersecurity community.
Can Funds Be Unblocked?
Can Funds Be Unblocked?
There certainly are examples of successful unblocking. According to public blockchain data, out of 5131 blocked wallets in Tron and Ethereum, a total of 330 wallets have been removed from the blacklist. This accounts for just 6% of blocked wallets, a small number and the exact unblocking procedure is not specified anywhere.
What is the Volume and Frequency of Tether's Blocking Now?
What is the Volume and Frequency of Tether's Blocking Now?
The chart below illustrates how both the volume of blocked funds and the number of blocked wallets have increased recently.
The chart clearly shows a noticeable increase in asset freezes subsequent to Tether's implementation of voluntary blocking measures in December 2023.
How is the Blocking Mechanism Implemented in Tether’s Smart Contracts?
How is the Blocking Mechanism Implemented in Tether’s Smart Contracts?
Let’s examine the source code of these smart contracts:
- TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t (Tron) — view full source code on Tronscan.
- 0xdac17f958d2ee523a2206206994597c13d831ec7 (Ethereum) — view full source code on Etherscan.
The smart contract implements the blocking mechanism via three key functions:
- addBlackList (address). After calling this function, all token operations on the specified address are immediately disabled.
- removeBlackList (address). After calling this function, the address is immediately removed from the blacklist and can resume token transfers.
- destroyBlackFunds (address). After calling this function all funds held by the blacklisted address are immediately burned.
Inspecting the smart contracts reveals that the owner on the Tron network is TBPxhVAsuzoFnKyXtc1o2UySEyd
PHgATto, while on Ethereum it is 0xC6CDE7C39eB2f0F0095F41570af
89eFC2C1Ea828.
The owner of the USDT smart contract on Tron.
The owner of the USDT smart contract on Ethereum.
By looking up these addresses on any blockchain explorer, you’ll discover they’re not simple cold wallets but multisig smart contracts.
A multisig wallet is a cryptocurrency wallet that requires multiple key signatures to perform operations — whether managing funds or interacting with smart contracts. In other words, a transaction only goes through when at least m out of n designated owners approve it.
The process for operations requiring confirmations involves two steps:
- Constructing the transaction that the wallet will execute.
- Collecting the required confirmations and then submitting the transaction for on-chain execution.
A key drawback of multisig wallets is the delay between proposing a fully parameterized transaction and its actual execution on the blockchain. During this window, anyone monitoring pending transactions can inspect — and potentially exploit — the transaction details before it’s finalized.
Collecting Blocks through Tether’s Multisig Wallet
Collecting Blocks through Tether’s Multisig Wallet
First, let’s fetch all transactions associated with these wallet smart contracts:
For fetched Tron transactions, we observe the following smart-contract calls:
- submitTransaction (3604 calls)
- confirmTransaction (3513 calls)
- revokeConfirmation (6 calls)
- executeTransaction (3 calls)
On Ethereum, the pattern shifts:
- submitTransaction (4247 calls)
- confirmTransaction (7864 calls)
Next, we’ll focus exclusively on the submitTransaction calls, since this function determines which transaction is created upon confirmation — and that’s where all future blacklist additions originate.
The function code is as follows:
/// @dev Allows an owner to submit and confirm a transaction.
/// @param destination Transaction target address.
/// @param value Transaction ether value.
/// @param data Transaction data payload.
/// @return Returns transaction ID.
function submitTransaction(address destination, uint value, bytes data)
public returns (uint transactionId)
{
transactionId = addTransaction(destination, value, data);
confirmTransaction(transactionId);
}
This function takes three parameters:
- destination. The address of the target smart contract to be called.
- value. The amount in the native token (TRX or ETH) that should be sent to the target smart contract.
- data. Binary data with which the target smart contract will be called.
Example of calling the submitTransaction function.
On success, the function returns a new transaction identifier and emits two events simultaneously:
- Submission(transactionId). Emitted when the transaction is submitted.
- Confirmation(msg.sender, transactionId). Emitted as the first confirmation of the transaction.
Example of emitted events.
Now we need to:
- Gather all submitTransaction calls and decode their destination and data parameters.
- Filter those calls to only the ones invoking addBlackList on the USDT token contracts, extracting the blocked addresses.
- Determine the resulting transaction ID for each of those calls.
All submitTransaction calls have been extracted for analysis:
The remainder of the data payload encodes the address argument for addBlackList, which we decode.
Finally, from the transaction receipt logs we read the Submission (uint256) event to obtain the newly created transaction ID.
This produces a table summarizing each address-blacklisting initiation:
The table below lists only the final confirmTransaction calls — those that satisfy the required confirmation threshold — for each transaction, with each decoded transactionId recorded.
As the final step of this analysis, we match each submitTransaction call with its corresponding final confirmTransaction call by transaction ID, and compile the results into one table:
We now have both the initiation and completion records for each blacklist addition, giving us precise start and end timestamps for the entire process.
Analyzing the Impact of the Vulnerability and Volume of «Saved» Funds
Analyzing the Impact of the Vulnerability and Volume of «Saved» Funds
On Tron, the overall average delay is 37 hours, with a median of 2 hours 47 minutes. Over the past year, the average delay fell to 4 hours 57 minutes, with the median at 2 hours. However, these delays remain substantial! Several cases over the past year stretched to 24 hours, 40 hours, and even 151 hours.
On Ethereum, the issue is even more pronounced: the average delay is 151 hours, with a median of 5 hours and 26 minutes.
The longest observed delay on Tron was 58 days, while on Ethereum it soared to 678 days—nearly two years.
Finally, let’s compute the key metrics—deposits, withdrawals, and frozen balances—for blocked wallets during the interval between blacklisting initiation and completion:
However, it would be naive to assume that everyone who withdrew funds knew they were about to be blacklisted. To flag potential insiders, we apply a heuristic:
- any wallet ending the blacklisting window with under 20 USDT remaining or with a balance below 5 % of its net outflows.
Under these criteria:
- 80 potential insiders on Tron withdrew $18.1 million.
- 28 potential insiders on Ethereum withdrew $13.0 million.
Let’s visualize the monthly trends for potential insider activity:
With such prolonged confirmation delays, savvy wallet owners can anticipate impending blacklists and migrate assets to fresh, “clean” addresses. Moreover, this workflow could be fully automated—potentially protecting funds in up to 99% of cases.
Conclusion
Conclusion
Despite these strengths, a few procedural shortcomings remain. Chief among them are the lack of clarity surrounding the release of frozen funds, the practice of pre-emptive wallet freezes, and the company’s minimal public disclosure when explaining its AML/CFT actions.
A separate concern is the way addresses are added to Tether’s blacklist. The current approach gives bad actors advance notice of an impending freeze, allowing them to move assets to wallets that have not yet been blocked. By our estimates, this vulnerability has been exploited more than 100 times, enabling offenders to retain over US $ 30 million.
Tether should therefore review its internal blacklisting procedures and eliminate any possibility that information about an imminent freeze appears on a public blockchain before the measure is actually carried out.
