A recent report published by AMLBot, a company specializing in blockchain compliance, has highlighted a significant vulnerability in the blacklist mechanism of Tether (USDT).
According to the analysis, a systemic delay in the process of adding addresses to the blacklist allowed the illicit transfer of over 78 million dollars in USDT before the funds could be frozen.
The procedure, which should theoretically block suspicious addresses in real-time, instead presents a critical time window between the initiation of the report and the actual execution of the block.
This time frame, which can last even over 40 minutes, has been exploited by malicious actors to move funds and remove them from freezing.
How the Tether (USDT) blacklist works
The Tether blacklist system operates through a multisignature structure on blockchain such as Ethereum and Tron. The process is divided into two main phases:
1. A first multi-signature transaction sends a pending call to the USDT-TRC20 contract, publicly flagging an address as a candidate for the blacklist.
2. A second transaction, also multisignature, confirms the action and makes the block effective, issuing the event “AddedBlackList”.
This mechanism, while being transparent and traceable on-chain, introduces an operational delay that can be exploited by those who constantly monitor blockchain transactions.
The AMLBot report provided a specific case to illustrate the vulnerability. At 11:10:12 UTC, a transaction flagged an address on the Tron blockchain as a candidate for the blacklist.
However, the actual confirmation arrived only at 11:54:51 UTC, leaving a window of 44 minutes during which the funds could be moved freely.
This interval, defined by analysts as a “critical attack window,” allows fraudsters to anticipate the blocking action and launder or transfer the funds before they are frozen.
The data collected by AMLBot shows that this vulnerability is not just theoretical. Between November 28, 2017 and May 12, 2025, over 28.5 million dollars in USDT were moved during delays on the Ethereum blockchain.
On Tron, the figure is even higher: 49.6 million dollars. In total, therefore, 78.1 million dollars have been transferred illicitly by exploiting the delay between the report and the actual block.
On average, each wallet involved moved over 365,000 dollars during the delay on Ethereum, while on Tron the average stands at 291,970 dollars per wallet.
Suspicious wallets: a non-isolated phenomenon
According to AMLBot, the phenomenon is anything but rare. On the Tron blockchain, 170 wallets out of 3,480 (about 4.88%) took advantage of the delay to make 2-3 transfers before being effectively blocked.
This data highlights how the temporal inefficiency of the blacklist system represents a concrete and systematic vulnerability.
Tether has repeatedly emphasized its ability to freeze assets as a tool for regulatory compliance. Throughout 2024, the company collaborated with Tron and TRM Labs to freeze over 126 million dollars in USDT linked to illicit activities.
However, the AMLBot report raises doubts about the effectiveness and especially the timeliness of such actions.
The delay between the reporting and the execution of the block represents a weak point that can be exploited by those with technical skills and who monitor on-chain activities in real time.
To the question of whether the delay is due to technical limitations or operational delays by the holders of the multifirma wallet keys, the researchers at AMLBot stated that they cannot provide a certain answer, as they do not have access to Tether’s internal procedures.
In the meantime, Tether has not released any official comment regarding the report at the time of publication.
Conclusions: the necessity for greater efficiency
The case raised by AMLBot highlights a crucial issue for the stablecoin sector and decentralized finance. Namely, the need for compliance tools that are not only effective but also timely.
In an ecosystem where transactions occur in a matter of seconds, even a delay of a few minutes can make the difference between the success and failure of a bull action.
On-chain transparency, if not accompanied by operational reactivity, risks turning into an advantage for wrongdoers.
The AMLBot report serves as a wake-up call for Tether and all platforms managing digital assets. That is, security and compliance must evolve at the same speed as the technologies that support them.
