Tether blacklist delay allowed $78M in USDT transfers, report says
A lag in Tether’s wallet blacklisting process allowed over $78 million in illicit funds to be moved before enforcement actions took effect, according to a new report from blockchain compliance firm AMLBot.
In a May 15 report, AMLBot’s onchain investigation team explained that Tether’s address blacklisting becomes effective after a considerable delay from when the process is initiated on Ethereum and Tron.
“This delay originates from Tether’s multisignature contract setup on both Tron and Ethereum, transforming what should be an immediate compliance action into a window of opportunity for illicit actors,“ the report stated.
Tether’s blacklisting procedure is a multi-step process with a first transaction effectively warning of the upcoming blacklisting. First, a Tether administrator multisignature transaction submits a pending call to “addBlackList” on the USDT-TRC20 contract.
This results in a public “submission” of the target address as a blacklist candidate. This is followed by a second multisignature transaction confirming the submission, resulting in an “AddedBlackList” emission, making the blacklisting effective.
Related: Tether, Tron and TRM Labs jointly froze $126M USDT in 2024
A warning on incoming blacklisting
In one example shared with Cointelegraph, an onchain transaction submitting a Tron address as a blacklist candidate took place at 11:10:12 UTC. The second transaction that actually enforced the action did not occur until 11:54:51 UTC on the same day, a 44-minute delay.
In practice, this delay can be treated by owners of USDt about to be blacklisted as a notice to move their assets to avoid them being frozen. The report stated:
“This delay between a freeze request and its on-chain execution creates a critical attack window, allowing malicious actors to front-run enforcement and move or launder funds before the freeze takes effect.“
The report claimed that “for blockchain-savvy attackers, these delays are golden.” By tracking Tether’s calls in real time, a fraudster can be instantly alerted that their address is being targeted. When asked by Cointelegraph whether the delay is a technical limitation or just a delay in the actions of a multisignature wallet key holder, AMLBot researchers said that they cannot determine it without knowledge of Tether’s internal procedures.
Tether had not responded to Cointelegraph’s request for comment by publication.
Related: Tether stablecoin issuer and Tron launch financial crime unit
Not just theoretical
AMLBot claimed that its data shows that over $28.5 million in USDT was withdrawn during the delay between the two transactions on the Ethereum blockchain. This amount of freeze avoidance occurred between Nov. 28, 2017, and May 12, 2025. The average amount moved during the delay exceeded $365,000.
Similarly, $49.6 million was reportedly withdrawn during freeze delay windows on the Tron blockchain, resulting in a total on Ethereum and Tron of $78.1 million. Exploiting this delay on Tron is not particularly rare, according to AMLBot:
“170 out of 3,480 wallets (4.88%) on Tron blockchain exploited the lag before getting blacklisted. Each of these wallets made 2–3 transfers during the delay, withdrawing: Average: $291,970.“
Tether has previously promoted its ability to freeze assets as a compliance feature. In 2024, Tether, Tron, and analytics firm TRM Labs cooperated to freeze over $126 million in USDT linked to illicit activity.
Still, the AMLBot report raises questions about the effectiveness and speed of those enforcement actions.
Magazine: Chinese Tether laundromat, Bhutan enjoys recent Bitcoin boost: Asia Express
