Introduction
Stablecoins have developed rapidly in recent years. With their widespread application, regulatory agencies have increasingly emphasized the establishment of mechanisms capable of freezing illegal funds. We have observed that mainstream stablecoins like USDT and USDC are technically equipped with this capability. In practice, multiple cases have shown that these mechanisms have indeed played a role in combating money laundering and other illegal financial activities.
Furthermore, our research shows that stablecoins are not only used for money laundering but also frequently appear in the financing processes of terrorist organizations. Therefore, this paper analyzes from two perspectives:
Systematic review of the freezing behaviors of USDT blacklisted addresses;
Explore the connection between frozen funds and terrorist financing.
1. Analysis of USDT blacklisted addresses
We identify and track Tether blacklisted addresses through on-chain event monitoring. The analytical methods have been validated through Tether's smart contract source code. The core logic is as follows:
Event identification:
The Tether contract maintains the blacklist status through two events:
AddedBlackList
:New blacklisted address
RemovedBlackList
Removed blacklisted address
Dataset construction:
We record the following fields for each blacklisted address:
The address itself
Time of being added to the blacklist (blacklisted_at)
If the address is removed from the blacklist, the removal time is recorded (unblacklisted_at)
The following are the implementations of relevant functions in the contract:
1.1 Core Findings
Based on Tether data on Ethereum and Tron chains, we found the following trends:
Since January 1, 2016, a total of 5,188 addresses have been added to the blacklist, involving frozen funds exceeding $2.9 billion.
During the period from June 13 to 30, 2025, 151 addresses were blacklisted, of which 90.07% came from the Tron chain (the address list can be found in the appendix), with frozen amounts reaching $86.34 million. The time distribution of blacklist events: June 15, 20, and 25 were peak days for blacklisting, with June 20 alone seeing as many as 63 addresses blacklisted in a single day.
Distribution of frozen amounts: The top ten addresses by amount account for a total of $53.45 million in frozen funds, accounting for 61.91% of the total frozen amount. The average frozen amount is $571,800, but the median is only $40,000, indicating that a few large addresses have inflated the overall average, while the vast majority of addresses have smaller frozen amounts.
Lifecycle fund distribution: These addresses have cumulatively received $808 million, of which $721 million had been transferred out before being blacklisted, and only $86.34 million was actually frozen. This indicates that most funds were successfully transferred before regulatory intervention. Additionally, 17% of addresses had no outgoing transaction records at all, possibly serving as temporary storage or fund aggregation points, warranting further attention.
Newly created addresses are more likely to be blacklisted: 41% of blacklisted addresses were created less than 30 days ago, 27% existed for 91-365 days, and only 3% were used for over 2 years, indicating that new addresses are more likely to be used for illegal activities.
Most addresses achieved 'escape before freezing': About 54% of addresses had transferred out over 90% of their funds before being blacklisted, and another 10% had a balance of 0 at the time of freezing, indicating that law enforcement actions mostly could only freeze the remaining value of funds.
New addresses are more efficient at money laundering: Through the FlowRatio vs. DaysActive scatter plot, we found that new addresses perform outstandingly in terms of quantity, blacklisting frequency, and transfer efficiency, achieving the highest success rate in money laundering.
1.2 Fund flow tracking
Through BlockSec's on-chain tracking tool MetaSleuth (https://metasleuth.io), we further analyzed the fund flows of the 151 USDT addresses blacklisted from June 13 to 30, identifying the main sources and directions of funds.
1.2.1 Source of funds analysis
Internal contamination (91 addresses): The funds of these addresses come from other already blacklisted addresses, indicating a highly interconnected money laundering network.
Phishing tags (37 addresses): Many upstream addresses are labeled as 'Fake Phishing' in MetaSleuth, possibly as deceptive tags to obscure illegal sources.
https://metasleuth.io/result/tron/THpNSa3BMNPPzVNTPZ6aTmRsVzGR6uRmma?source=26599be9-c3a9-42a6-a2ae-b6de72418003
Exchange hot wallets (34 addresses): Sources of funds include exchange hot wallets like Binance (20), OKX (7), and MEXC (7), possibly related to stolen accounts or 'mule accounts'.
Single main distributor (35 addresses): The same blacklisted address appears multiple times upstream, possibly functioning as an aggregator or mixer for fund distribution.
Cross-chain bridge entry (2 addresses): Some funds originate from cross-chain bridges, indicating possible cross-chain money laundering operations.
1.2.2 Fund flow analysis
Flow to other blacklisted addresses (54): There exists an 'internal circular chain' structure between blacklisted addresses.
Flow to centralized exchanges (41): These addresses transferred funds to recharge addresses of CEXs like Binance (30) and Bybit (7), achieving 'exit'.
Flow to cross-chain bridges (12): Indicating that some funds are attempting to escape the Tron ecosystem and continue cross-chain money laundering.
https://metasleuth.io/result/tron/TBqeWc1apWjp5hRUrQ9cy8vBtTZSSnqBoY?source=ddea74a3-fb52-4203-846a-c7be07fbb78d
Notably, Binance and OKX appear on both the inflow (hot wallets) and outflow (recharge addresses) sides, further highlighting their core position in the funding chain. The current insufficient execution of AML/CFT by exchanges and the lag in asset freezing may allow criminals to complete asset transfers before regulatory intervention.
We recommend that major cryptocurrency exchanges, as core channels for funds, strengthen real-time monitoring and risk interception mechanisms to prevent issues before they arise.
https://metasleuth.io/result/tron/TFjqBgossxvtfrivgd6mFVhZ1tLqqyfZe9?source=7ba5d0da-d5b5-41ab-b54c-d784fb57f079
2. Terrorist financing analysis
To further understand the use of USDT in terrorist financing, we analyzed the administrative seizure orders issued by Israel's National Bureau for Counter Terror Financing (NBCTF). Although the single data source we used makes it difficult to restore the full picture, we take it as a representative sample for conservative analysis and estimation of USDT's involvement in terrorist transactions.
2.1 Core Findings
Release point: Since the escalation of the Israel-Iran conflict on June 13, 2025, only one new seizure order has been added (June 26). The previous document was dated June 8, indicating a lag in law enforcement response during periods of geopolitical tension.
Target organizations: Since the outbreak of conflict on October 7, 2024, the NBCTF has issued 8 seizure orders, 4 of which explicitly mentioned 'Hamas', and the latest one mentioned 'Iran' for the first time.
Addresses and assets involved in the seizure order:
76 USDT (Tron) addresses
16 BTC addresses
2 Ethereum addresses
641 Binance accounts
8 OKX accounts
Our on-chain tracking of 76 USDT (Tron) addresses revealed two behavioral patterns of Tether in response to these official directives:
Proactive freezing: Tether blacklisted 17 Hamas-related addresses even before the seizure order was issued, on average 28 days in advance, with some as early as 45 days.
Rapid response: For the remaining addresses, Tether completed freezing in an average of just 2.1 days after the seizure order was announced, demonstrating good law enforcement cooperation.
These signs indicate a close, even preemptive, cooperation mechanism between Tether and some national law enforcement agencies.
3. Summary and challenges faced by AML/CFT
Our research shows that while stablecoins like USDT provide technical means for transaction controllability, in practice, AML/CFT still faces the following challenges:
3.1 Core Challenges
Lagging law enforcement vs. proactive prevention: Currently, most law enforcement actions still rely on post-event processing, leaving room for criminals to transfer assets.
Regulatory blind spots of exchanges: Centralized exchanges, as hubs for fund entry and exit, often lack sufficient monitoring, making it difficult to identify abnormal behaviors in a timely manner.
Cross-chain money laundering is becoming increasingly complex: The use of multi-chain ecosystems and cross-chain bridges makes fund transfers more concealed, significantly increasing the difficulty of regulatory tracking.
3.2 Recommendations
We recommend that stablecoin issuers, exchanges, and regulatory agencies:
Strengthen on-chain intelligence sharing;
Invest in real-time behavioral analysis technology;
Establish cross-chain compliance frameworks.
Only under a timely, coordinated, and technically mature AML/CFT system can the legitimacy and security of the stablecoin ecosystem be truly guaranteed.
4. BlockSec's efforts
At BlockSec, we are dedicated to promoting the security and compliance construction of the cryptocurrency industry, focusing on providing actionable on-chain solutions for AML and CFT. We have launched two key products:
4.1 Phalcon Compliance
Designed for exchanges, regulatory agencies, payment projects, and DEX, supporting:
Multi-chain address risk score
Real-time transaction monitoring
Blacklist identification and alerts
Help users meet increasingly stringent compliance requirements.
4.2 MetaSleuth
Our visualization on-chain tracking platform has been adopted by more than 20 regulatory and law enforcement agencies globally. It supports:
Visualized fund tracking
Multi-chain address profiling
Complex path restoration and analysis
These two tools embody our mission - to safeguard the order and security of decentralized financial systems.