A recent report published by AMLBot, a company specializing in blockchain compliance, has highlighted a significant vulnerability in the blacklist mechanism of Tether (USDT).
According to the analysis, a systemic delay in the process of adding addresses to the blacklist allowed the illicit transfer of over 78 million dollars in USDT before the funds could be frozen.
The procedure, which should theoretically block suspicious addresses in real-time, instead presents a critical time window between the initiation of the report and the actual execution of the block.
This time frame, which can last even over 40 minutes, has been exploited by malicious actors to move funds and remove them from freezing.
Summary
How the Tether (USDT) blacklist works
The Tether blacklist system operates through a multisignature structure on blockchain such as Ethereum and Tron. The process is divided into two main phases:
- 1. A first multi-signature transaction sends a pending call to the USDT-TRC20 contract, publicly flagging an address as a candidate for the blacklist.
- 2. A second transaction, also multisignature, confirms the action and makes the block effective, issuing the event “AddedBlackList”.
This mechanism, while being transparent and traceable on-chain, introduces an operational delay that can be exploited by those who constantly monitor blockchain transactions.
The AMLBot report provided a specific case to illustrate the vulnerability. At 11:10:12 UTC, a transaction flagged an address on the Tron blockchain as a candidate for the blacklist.
However, the actual confirmation arrived only at 11:54:51 UTC, leaving a window of 44 minutes during which the funds could be moved freely.
This interval, defined by analysts as a “critical attack window,” allows fraudsters to anticipate the blocking action and launder or transfer the funds before they are frozen.
The data collected by AMLBot shows that this vulnerability is not just theoretical. Between November 28, 2017 and May 12, 2025, over 28.5 million dollars in USDT were moved during delays on the Ethereum blockchain.
On Tron, the figure is even higher: 49.6 million dollars. In total, therefore, 78.1 million dollars have been transferred illicitly by exploiting the delay between the report and the actual block.
On average, each wallet involved moved over 365,000 dollars during the delay on Ethereum, while on Tron the average stands at 291,970 dollars per wallet.
Suspicious wallets: a non-isolated phenomenon
According to AMLBot, the phenomenon is anything but rare. On the Tron blockchain, 170 wallets out of 3,480 (about 4.88%) took advantage of the delay to make 2-3 transfers before being effectively blocked.
This data highlights how the temporal inefficiency of the blacklist system represents a concrete and systematic vulnerability.
Tether has repeatedly emphasized its ability to freeze assets as a tool for regulatory compliance. Throughout 2024, the company collaborated with Tron and TRM Labs to freeze over 126 million dollars in USDT linked to illicit activities.
However, the AMLBot report raises doubts about the effectiveness and especially the timeliness of such actions.
The delay between the reporting and the execution of the block represents a weak point that can be exploited by those with technical skills and who monitor on-chain activities in real time.
To the question of whether the delay is due to technical limitations or operational delays by the holders of the multifirma wallet keys, the researchers at AMLBot stated that they cannot provide a certain answer, as they do not have access to Tether’s internal procedures.
In the meantime, Tether has not released any official comment regarding the report at the time of publication.
Conclusions: the necessity for greater efficiency
Tether commented on the update as follows
Let’s be clear: the $76 million referenced in this report should be put in context of the more than $2.7 billion in USD₮ that Tether has successfully frozen and blocked to date. That’s not theoretical — that’s real assets stopped from reaching terrorists, sanctioned entities, fraud rings, and other criminals. While any delay in enforcement should be examined, the idea that this represents a systemic loophole is both misleading and lacking perspective as Tether collaborates with Law Enforcement to freeze addresses on a daily basis. Tether operates on public blockchains, where all activity is visible — unlike fiat currencies that move in secret through traditional banks. This transparency allows Tether, in collaboration with over 255 law enforcement agencies across 55 countries, to track, trace, and freeze illicit funds faster than most realize. In fact, in a recent case involving funds tied to North Korean-affiliated hackers, Tether froze the assets within hours — whereas it took others in the industry more than 24 hours to respond. The delay cited in the report stems from our multi-signature governance model, designed to prevent unilateral freezes and protect the integrity of our system. Yes, this structure introduces a short delay, but it’s a trade-off for responsible responsiveness to a $100+ billion ecosystem. We are actively refining this process to work to eliminate any potential advantage for bad actors. If you think you can use Tether to move illicit funds, think again. USD₮ is arguably the most traceable asset on the planet, and we will continue working relentlessly with our industry partners to identify you, freeze your funds, and ensure you are brought to justice.
The case raised by AMLBot highlights a crucial issue for the stablecoin sector and decentralized finance. Namely, the need for compliance tools that are not only effective but also timely.
In an ecosystem where transactions occur in a matter of seconds, even a delay of a few minutes can make the difference between the success and failure of a bull action.
On-chain transparency, if not accompanied by operational reactivity, risks turning into an advantage for wrongdoers.
The AMLBot report serves as a wake-up call for Tether and all platforms managing digital assets. That is, security and compliance must evolve at the same speed as the technologies that support them.
.){kind=link}