Since 2017, criminals exploited Tether freeze delays to move $78M in USDT via Ethereum and Tron, AMLBot report finds.
According to a recent report from AMLBot, criminals have been able to exploit Tether’s fund-freezing mechanism and transfer over $78 million in USDT across Ethereum and Tron since 2017, as a result of the delay.
The Vulnerabilities of Tether’s Freeze Mechanism
AMLBot, a blockchain forensics firm, has reported that Tether’s process for suspending USDT associated with criminal activity contains a delay that criminals have exploited. The company discovered that the blacklisting process necessitates a multi-signature arrangement, which results in a delay between the submission of a freeze request and its execution on the blockchain.
The freeze transaction necessitates the signature of multiple parties, a procedure that may require a significant amount of time to finalize. Some wallets have transferred funds before the commencement of the ban during this period. This period was referred to as a “critical window” for illicit actors by AMLBot.
The report was assessed by PeckShield, a blockchain security firm, which verified the delay.
“It does not necessarily indicate a problem with the contract itself,” a spokesperson said. “Rather, it is an operational issue that creates a time window between when the blacklist transaction is submitted and when it is executed.”
Ethereum and Tron Facilitated the Transfer of $78 Million
AMLBot’s findings indicated that malicious actors exploited this vulnerability to withdraw $49.6 million from Tron and $28.5 million from Ethereum. In one instance, the halt request was confirmed on the Tron network 44 minutes after submission. This allowed wallets to execute up to three transactions before being blocked.
This latency was exploited by 4.88% of all blacklisted wallets on Tron, as per AMLBot. Although Ethereum-based wallets were lower in volume, they also capitalized on this operational gap. Such wallets have transferred $78.1 million in USDT since 2017.
AMLBot thinks that certain actors may be employing instruments to monitor freeze requests. These tools are designed to identify specific smart contract transactions involved in the freezing process. The tools notify the wallet owner if a contact of this nature is detected, allowing them to transfer funds.
Industry Responses and Security Concerns
Tether is the issuer of USDT, the world’s largest stablecoin, and it frequently freezes tokens associated with unlawful activities. Its blacklisting procedure was recently implemented in response to the $1.4 billion Bybit hack, which was associated with North Korea’s Lazarus Group. Germany has recently seized $38M from the exploit, even though Tether froze addresses to prevent the stolen assets from being moved or exchanged.
PeckShield clarified that the vulnerability is a recognized issue with multi-signature wallets. These purses are employed to enhance security but impede the execution of critical operations. PeckShield proposed that Tether could improve this by consolidating the halt request and the requisite signatures into a single on-chain transaction to prevent delays.
As per Slava Demchuk, CEO of AMLBot, “Tools can be programmed to monitor the blockchain for specific contract interactions, such as submitTransaction() calls linked to freeze requests.” He further stated that the firm has not directly observed the bots; however, the on-chain behavior strongly suggests that automated systems are involved.
Amidst scrutiny, Tether has implemented measures to enhance compliance by forming a partnership with Chainalysis. Chainalysis’ monitoring tools will be integrated into Tether’s Hadron platform, which is dedicated to tokenizing real-world assets.
AMLBot is being criticized for the purported misuse of its tools
During the investigation, ZachXBT, a blockchain specialist, identified several deficiencies with AMLBot. He claimed that AMLBot’s proprietary tools enable criminals to remain undetected.
AMLBot was employed to transmit stolen funds through instant exchanges shortly after the $243 million Genesis creditor theft in August 2024, as reported by ZachXBT. In February 2025, the BlackBasta ransomware group’s breach records also cited AMLBot as a recommended platform for verifying flagged addresses.
Krebs, a cybercrime researcher, previously reported that AMLBot clients utilized Antinalysis, a tool developed by the darknet group “Incognito” to assess the likelihood of being detected.
Despite these allegations, AMLBot maintains that its tools are designed for compliance and surveillance. It persists in warning that criminals are becoming increasingly sophisticated and actively exploiting operational delays.
