0. Introduction
Stablecoins have developed rapidly in recent years. With their widespread application, regulators increasingly emphasize the establishment of a mechanism capable of freezing illegal funds. We observe that mainstream stablecoins like USDT and USDC now technically possess this capability. In practice, there have been several cases showing that these mechanisms have indeed played a role in combating money laundering and other illegal financial activities.
Furthermore, our research indicates that stablecoins are not only used for money laundering but also frequently appear in the financing processes of terrorist organizations. Therefore, this article analyzes from two perspectives:
A systematic review of the freezing behaviors of USDT blacklisted addresses;
Exploring the connection between frozen funds and terrorist financing.
This report is based on publicly available on-chain data analysis, which may be inaccurate or incomplete. If you have suggestions or corrections, please feel free to contact us: [email protected].
1. USDT Blacklist Address Analysis
We identify and track Tether blacklisted addresses through on-chain event monitoring. The analytical method has been verified through the Tether smart contract source code. The core logic is as follows:
Incident identification:
Tether contracts maintain blacklist status through two events:
AddedBlackList: Newly added blacklisted addresses
RemovedBlackList: Removed blacklisted addresses
Dataset construction:
We record the following fields for each blacklisted address:
The address itself
The time the address was blacklisted (blacklisted_at)
If the address is removed from the blacklist, record the time of removal (unblacklisted_at)
The following are the implementations of the relevant functions in the contract:
1.1 Core Findings
Based on Tether data on the Ethereum and Tron chains, we found the following trends:
Since January 1, 2016, a total of 5,188 addresses have been added to the blacklist, involving frozen funds exceeding 2.9 billion dollars.
During the period from June 13 to June 30, 2025, a total of 151 addresses were blacklisted, of which 90.07% came from the Tron chain (the list of addresses can be found in the appendix), with frozen amounts reaching up to 86.34 million dollars. The time distribution of blacklisting events: June 15, 20, and 25 were peaks of blacklisting, with June 20 seeing as many as 63 addresses blacklisted in a single day.
Distribution of frozen amounts: The top ten addresses account for a total of 53.45 million dollars frozen, which is 61.91% of the total frozen amount. The average frozen amount is 571,800 dollars, but the median is only 40,000 dollars, indicating that a small number of large addresses inflate the overall average, while the vast majority of addresses have smaller frozen amounts.
Lifecycle fund distribution: These addresses have cumulatively received 808 million dollars, of which 721 million dollars were transferred out before being blacklisted, with only 86.34 million dollars actually frozen. This indicates that most funds were successfully transferred before regulatory intervention. In addition, 17% of addresses have no outgoing transaction records, possibly serving as temporary storage or fund aggregation points, warranting further attention.
Newly created addresses are more likely to be blacklisted: 41% of blacklisted addresses were created less than 30 days ago, 27% existed for 91–365 days, and only 3% have been used for more than 2 years, indicating that new addresses are more likely to be used for illegal activities.
Most addresses realize 'escape before freezing': About 54% of addresses transferred out more than 90% of their funds before being blacklisted, while another 10% had a balance of 0 at the time of freezing, indicating that law enforcement actions mostly only manage to freeze the remaining value of funds.
New addresses have higher money laundering efficiency: Through the FlowRatio vs. DaysActive scatter plot, we find that new addresses perform outstandingly in terms of quantity, blacklisting frequency, and transfer efficiency, with the highest success rate in money laundering.
1.2 Fund Flow Tracking
Using BlockSec's on-chain tracking tool MetaSleuth (https://metasleuth.io), we further analyzed the fund flows of the 151 USDT addresses blacklisted between June 13 and June 30, identifying the main sources and flows of funds.
1.2.1 Source of Funds Analysis
Internal pollution (91 addresses): The funds of these addresses come from other already blacklisted addresses, indicating a highly interconnected money laundering network.
Fishing Tags (37 addresses): Many upstream addresses are labeled as 'Fake Phishing' in MetaSleuth, possibly deceptive labels to cover illegal sources.
https://metasleuth.io/result/tron/THpNSa3BMNPPzVNTPZ6aTmRsVzGR6uRmma?source=26599be9-c3a9-42a6-a2ae-b6de72418003
Exchange hot wallets (34 addresses): Sources of funds include hot wallets from exchanges such as Binance (20), OKX (7), and MEXC (7), possibly related to stolen accounts or 'mule accounts'.
Single main distributor (35 addresses): The same blacklisted address serves multiple times as upstream, possibly acting as an aggregator or mixer for fund distribution.
Cross-chain bridge entry points (2 addresses): Some funds come from cross-chain bridges, indicating cross-chain money laundering operations.
1.2.2 Fund Flow Analysis
Flowing to other blacklisted addresses (54): There is an 'internal circular chain' structure among the blacklisted addresses.
Flowing to centralized exchanges (41): These addresses transfer funds to recharge addresses of CEX such as Binance (30), Bybit (7), achieving an 'exit'.
Flowing to cross-chain bridges (12): Indicates that some funds attempt to escape the Tron ecosystem and continue cross-chain money laundering.
https://metasleuth.io/result/tron/TBqeWc1apWjp5hRUrQ9cy8vBtTZSSnqBoY?source=ddea74a3-fb52-4203-846a-c7be07fbb78d
It is worth noting that Binance and OKX appear on both ends of fund inflow (hot wallets) and outflow (recharge addresses), further highlighting their core position in the funding chain. The current lack of enforcement by exchanges on AML/CFT and delayed asset freezing may allow criminals to complete asset transfers before regulatory intervention.
We recommend that major cryptocurrency exchanges, as the core channels for funds, strengthen real-time monitoring and risk interception mechanisms to prevent issues before they arise.
https://metasleuth.io/result/tron/TFjqBgossxvtfrivgd6mFVhZ1tLqqyfZe9?source=7ba5d0da-d5b5-41ab-b54c-d784fb57f079
2. Terrorist Financing Analysis
To further understand the use of USDT in terrorist financing, we analyzed the administrative seizure orders issued by the Israeli National Bureau for Counter Terrorism Financing (NBCTF). Although the single data source we employed makes it difficult to restore the whole picture, we use it as a representative sample for a conservative analysis and estimate of USDT's involvement in terrorist transactions.
2.1 Core Findings
Release point: Since the escalation of the Israel-Iran conflict on June 13, 2025, only one new seizure order has been added (June 26). The last document was dated June 8, indicating a lag in law enforcement response during periods of geopolitical tension.
Target Organization: Since the outbreak of conflict on October 7, 2024, the NBCTF has issued 8 seizure orders, 4 of which explicitly mention 'Hamas', and the latest mentions 'Iran' for the first time.
Addresses and assets involved in seizure orders:
76 USDT (Tron) addresses
16 BTC addresses
2 Ethereum addresses
641 Binance accounts
8 OKX accounts
Our on-chain tracking of 76 USDT (Tron) addresses reveals two behavioral patterns of Tether in response to these official directives:
Proactive freezing: Tether had already blacklisted 17 Hamas-related addresses before the seizure orders were issued, averaging 28 days in advance, with the earliest being 45 days in advance.
Rapid response: For the remaining addresses, Tether completed the freezing on average in just 2.1 days after the seizure orders were published, showing good cooperation with law enforcement.
These signs indicate a close, even proactive cooperation mechanism between Tether and some national law enforcement agencies.
3. Summary and Challenges Facing AML/CFT
Our research shows that while stablecoins like USDT provide technical means for transaction controllability, in practice, AML/CFT still faces the following challenges:
3.1 Core Challenges
Delayed enforcement vs. proactive prevention: Currently, most law enforcement actions still rely on post-event handling, leaving space for criminals to transfer assets.
Regulatory blind spots of exchanges: Centralized exchanges, as hubs for fund inflows and outflows, often lack sufficient monitoring, making it difficult to timely identify abnormal behavior.
Cross-chain money laundering is becoming increasingly complex: The use of multi-chain ecosystems and cross-chain bridges makes fund transfers more covert and significantly increases the difficulty of regulatory tracking.
3.2 Recommendations
We recommend that stablecoin issuers, exchanges, and regulatory agencies:
Enhance on-chain intelligence sharing;
Invest in real-time behavioral analysis technology;
Establish a cross-chain compliance framework.
Only under a timely, coordinated, and mature AML/CFT system can the legitimacy and security of the stablecoin ecosystem be truly guaranteed.
4. BlockSec's Efforts
At BlockSec, we are committed to promoting the security and compliance of the cryptocurrency industry, focusing on providing feasible and operational on-chain solutions for AML and CFT. We have launched two key products:
4.1 Phalcon Compliance
Designed specifically for exchanges, regulatory agencies, payment projects, and DEX, supporting:
Multi-chain address risk scoring
Real-time transaction monitoring
Blacklist identification and alerts
Help users meet increasingly stringent compliance requirements.
4.2 MetaSleuth
Our visual on-chain tracking platform has been adopted by over 20 regulatory and law enforcement agencies worldwide. It supports:
Visualized fund tracking
Multi-chain address profiling
Complex path restoration and analysis
These two tools together embody our mission - to safeguard the order and security of the decentralized financial system.
Some addresses mentioned in the text:
https://docs.google.com/spreadsheets/d/1pz7SPTY2J4S7rGMiq6Dzi2Q5p0fXSGKzl9QF2PiV6Gw/edit?usp=sharing
