Author: BlockSec
0. Introduction
The rapid development of stablecoins in recent years has led regulatory agencies to increasingly emphasize the establishment of mechanisms capable of freezing illegal funds. We observe that mainstream stablecoins like USDT and USDC already possess this capability technically. In practice, there have been several cases demonstrating that these mechanisms do indeed play a role in combating money laundering and other illegal financial activities.
Furthermore, our research indicates that stablecoins are not only used for money laundering but also frequently appear in the financing processes of terrorist organizations. Therefore, this article analyzes from two perspectives:
Systematic review of the freezing behavior of USDT blacklisted addresses;
Exploring the relationship between frozen funds and terrorist financing.
This report is based on publicly available on-chain data, and there may be inaccuracies or omissions. For suggestions or corrections, please contact us: [email protected].
1. Analysis of USDT Blacklisted Addresses
We identify and trace Tether blacklisted addresses through on-chain event monitoring. The analytical method has been verified through the source code of Tether's smart contracts. The core logic is as follows:
Event Identification: Tether contracts maintain blacklist status through two events:
AddedBlackList: New blacklisted address added
RemovedBlackList: Blacklisted address removed
Dataset Construction: We record the following fields for each blacklisted address:
The address itself
Time of blacklisting (blacklisted_at)
If the address is removed from the blacklist, the time of removal is recorded (unblacklisted_at)
Below are the implementations of relevant functions in the contract:
function addBlackList(address _evilUser) public onlyOwner { isBlackListed[_evilUser] = true; AddedBlackList(_evilUser);} function removeBlackList(address _clearedUser) public onlyOwner { isBlackListed[_clearedUser] = false; RemovedBlackList(_clearedUser);} event AddedBlackList(address indexed _user); event RemovedBlackList(address indexed _user);
1.1 Core Findings
Based on Tether data on Ethereum and Tron blockchains, we observe the following trends:
Since January 1, 2016, a total of 5,188 addresses have been blacklisted, involving frozen funds exceeding $2.9 billion.
Between June 13 and 30, 2025, a total of 151 addresses were blacklisted, with 90.07% coming from the Tron chain (see appendix for address list), with frozen amounts reaching $86.34 million. The time distribution of blacklisting events peaked on June 15, 20, and 25, with June 20 seeing as many as 63 addresses blacklisted in a single day.
Frozen amount distribution: The top ten addresses by amount frozen collectively account for $53.45 million, representing 61.91% of the total frozen amount. The average frozen amount is $571,800, but the median is only $40,000, indicating that a small number of large addresses inflate the overall average, while the vast majority have relatively small frozen amounts.
Lifecycle fund distribution: These addresses have cumulatively received $808 million, of which $721 million was transferred out before being blacklisted, with only $86.34 million actually frozen. This suggests that most funds were successfully transferred before regulatory intervention. Furthermore, 17% of the addresses have no outgoing transaction records, potentially serving as temporary storage or fund aggregation points, warranting further attention.
Newly created addresses are more likely to be blacklisted: 41% of blacklisted addresses were created less than 30 days ago, 27% had existed for 91–365 days, and only 3% had been in use for over 2 years, indicating that new addresses are more likely to be used for illegal activities.
Most addresses achieve 'escape before freezing': About 54% of addresses had transferred out over 90% of their funds before being blacklisted, and another 10% had a balance of 0 at the time of freezing, indicating that most law enforcement actions can only freeze the residual value of the funds.
New addresses exhibit higher money laundering efficiency: Through the FlowRatio vs. DaysActive scatter plot, we find that new addresses excel in terms of quantity, blacklisting frequency, and transfer efficiency, achieving the highest success rate in money laundering.
1.2 Fund Flow Tracking
Through BlockSec's on-chain tracking tool MetaSleuth (https://metasleuth.io), we further analyzed the fund flows of 151 USDT addresses that were blacklisted between June 13 and 30, identifying major sources and destinations of funds.
1.2.1 Fund Source Analysis
Internal Pollution (91 addresses): These addresses receive funding from other blacklisted addresses, indicating a highly interconnected money laundering network.
Phishing Tags (37 addresses): Many upstream addresses are labeled as 'Fake Phishing' in MetaSleuth, likely deceptive tags intended to obscure illegal origins.
https://metasleuth.io/result/tron/THpNSa3BMNPPzVNTPZ6aTmRsVzGR6uRmma?source=26599be9-c3a9-42a6-a2ae-b6de72418003
Exchange Hot Wallets (34 addresses): Fund sources include hot wallets from exchanges such as Binance (20), OKX (7), and MEXC (7), possibly related to stolen accounts or 'mule accounts'.
Single Main Distributor (35 addresses): The same blacklisted address has been upstream multiple times, possibly acting as an aggregator or mixer for fund distribution.
Cross-chain bridging entry points (2 addresses): Some funds originated from cross-chain bridges, indicating possible cross-chain money laundering operations.
1.2.2 Fund Destination Analysis
Flow to other blacklisted addresses (54): There exists a structure of 'internal loop chains' among blacklisted addresses.
Flow to centralized exchanges (41): These addresses transferred funds to deposit addresses of CEXs like Binance (30) and Bybit (7), achieving an 'exit'.
Flow to cross-chain bridges (12): Indicating that some funds are attempting to escape the Tron ecosystem and continue cross-chain money laundering.
https://metasleuth.io/result/tron/TBqeWc1apWjp5hRUrQ9cy8vBtTZSSnqBoY?source=ddea74a3-fb52-4203-846a-c7be07fbb78d
It is noteworthy that both Binance and OKX appear on both ends of fund inflows (hot wallets) and outflows (deposit addresses), further highlighting their central position in the fund chain. The current inadequacy of exchanges in implementing AML/CFT measures and the lag in asset freezing may allow wrongdoers to complete asset transfers before regulatory intervention.
We recommend that major crypto exchanges, as core channels for funds, strengthen real-time monitoring and risk interception mechanisms to prevent potential issues.
https://metasleuth.io/result/tron/TFjqBgossxvtfrivgd6mFVhZ1tLqqyfZe9?source=7ba5d0da-d5b5-41ab-b54c-d784fb57f079
2. Terrorist Financing Analysis
To further understand the use of USDT in terrorist financing, we analyzed the Administrative Seizure Orders issued by Israel's National Bureau for Counter Terror Financing (NBCTF). Although the single data source used in our analysis is difficult to reconstruct the full picture, it serves as a representative sample for conservative analysis and estimates of USDT's involvement in terrorist-related transactions.
2.1 Core Findings
Release Timing: Since the escalation of the Israel-Iran conflict on June 13, 2025, only one new seizure order has been issued (June 26). The previous document was dated June 8, indicating a lag in enforcement response during periods of geopolitical tension.
Target Organizations: Since the outbreak of conflict on October 7, 2024, the NBCTF has issued 8 seizure orders, 4 of which explicitly mentioned 'Hamas', with the latest mentioning 'Iran' for the first time.
Addresses and assets involved in the seizure order:
76 USDT (Tron) addresses
16 BTC addresses
2 Ethereum addresses
641 Binance accounts
8 OKX accounts
Our on-chain tracing of 76 USDT (Tron) addresses reveals two behavioral patterns of Tether in response to these official directives:
Proactive freezing: Tether had already blacklisted 17 Hamas-related addresses before the seizure order was issued, averaging 28 days in advance, with some as early as 45 days in advance.
Rapid response: For the remaining addresses, Tether completed freezing within an average of only 2.1 days after the seizure order was announced, demonstrating good law enforcement cooperation capabilities.
These signs indicate a close, even proactive, cooperation mechanism between Tether and some national law enforcement agencies.
3. Summary and Challenges Facing AML/CFT
Our research shows that while stablecoins like USDT provide technical means for transaction controllability, AML/CFT still faces the following challenges in practice:
3.1 Core Challenges
Delayed enforcement vs. proactive prevention: Currently, most law enforcement actions still rely on post-event handling, leaving room for wrongdoers to transfer assets.
Regulatory blind spots of exchanges: Centralized exchanges, as hubs for fund inflows and outflows, often lack sufficient monitoring, making it difficult to identify abnormal behavior in a timely manner.
Cross-chain money laundering is becoming increasingly complex: The use of multi-chain ecosystems and cross-chain bridges makes fund transfers more obscure, significantly increasing the difficulty of regulatory tracking.
3.2 Recommendations
We recommend that stablecoin issuers, exchanges, and regulatory agencies:
Strengthen on-chain intelligence sharing;
Invest in real-time behavioral analysis technology;
Establish a cross-chain compliance framework.
Only under a timely, collaborative, and technically mature AML/CFT system can the legitimacy and security of the stablecoin ecosystem be truly guaranteed.
4. BlockSec's Efforts
At BlockSec, we are committed to promoting the security and compliance of the crypto industry, focusing on providing actionable on-chain solutions for AML and CFT. We have launched two key products:
4.1 Phalcon Compliance
Designed for exchanges, regulatory agencies, payment projects, and DEXs, supporting:
Multi-chain address risk scoring
Real-time transaction monitoring
Blacklist identification and alerting
Helping users meet increasingly stringent compliance requirements.
4.2 MetaSleuth
Our visual on-chain tracking platform has been adopted by over 20 regulatory and law enforcement agencies worldwide. It supports:
Visualize fund tracking
Multi-chain address profiling
Complex path restoration and analysis
These two tools collectively embody our mission—to safeguard the order and security of the decentralized financial system.
Some addresses mentioned in the text:
https://docs.google.com/spreadsheets/d/1pz7SPTY2J4S7rGMiq6Dzi2Q5p0fXSGKzl9QF2PiV6Gw/edit?usp=sharing
