USDT Issuer Tether Under Fire for Multi-Sig Lag Enabling Crypto Laundering

A new report from AMLBot has revealed that a delay in Tether’s fund-freezing mechanism has allowed criminals to exploit the system and move over $78 million in USDT across Ethereum and Tron since 2017.

Tether’s Freeze Mechanism and Its Vulnerabilities

AMLBot, a blockchain forensics firm, has reported that Tether’s process for freezing USDT linked to criminal activity contains a delay that criminals have exploited. The firm found that the process of blacklisting addresses involves a multi-signature setup, which creates a delay between a freeze request and its execution on the blockchain.

This process requires multiple parties to sign the freeze transaction, which can take time to complete. During this time window, some wallets have moved funds before the freeze became active. AMLBot called this period a “critical window” for illicit actors.

PeckShield, a blockchain security firm, reviewed the report and confirmed the delay.

“It does not necessarily indicate a problem with the contract itself,” a spokesperson said. “Rather, it is an operational issue that creates a time window between when the blacklist transaction is submitted and when it is executed.”

$78 Million Moved Through Ethereum and Tron

AMLBot’s findings showed that bad actors withdrew $49.6 million on Tron and $28.5 million on Ethereum through this loophole. In one example, there was a 44-minute gap between the freeze request and its confirmation on the Tron network. This gave wallets enough time to make up to three transactions before being frozen.

According to AMLBot, 4.88% of all blacklisted wallets on Tron were able to exploit this lag. Although smaller in volume, Ethereum-based wallets also took advantage of this operational gap. Since 2017, the total amount of USDT moved by such wallets reached $78.1 million.

AMLBot believes some actors may be using tools to monitor freeze requests. These tools scan for specific smart contract calls that are part of the freezing process. If such a call is detected, the tools alert the wallet owner, giving them time to move funds.

Security Concerns and Industry Reactions

Tether is the issuer of USDT, the world’s largest stablecoin, and regularly freezes tokens tied to illegal activities. Its blacklisting process was used recently after the $1.4 billion Bybit hack, which was linked to North Korea’s Lazarus Group. Tether froze addresses to prevent the stolen assets from being moved or exchanged, although Germany has recently seized $38M from the exploit.

PeckShield explained that the vulnerability is a known issue with multi-signature wallets. These wallets are used to improve security, but they slow down urgent actions. PeckShield suggested that Tether could improve this by bundling the freeze request and necessary signatures into a single on-chain transaction to eliminate delays.

Slava Demchuk, CEO of AMLBot, stated, “Tools can be programmed to monitor the blockchain for specific contract interactions, such as submitTransaction() calls linked to freeze requests.” He added that while the firm has not observed the bots directly, the on-chain behavior strongly indicates automated systems are involved.

Amid scrutiny, Tether has taken steps to improve compliance through a partnership with Chainalysis. The two firms will integrate Chainalysis’ monitoring tools into Tether’s Hadron platform, which focuses on real-world asset tokenization.

AMLBot Criticized for Alleged Misuse of Its Tools

While the investigation was happening, ZachXBT, a blockchain expert, pointed out some issues with AMLBot. According to him, AMLBot’s own tools enabled criminals to go undetected.

As reported by ZachXBT, soon after the $243 million Genesis creditor theft in August 2024, AMLBot was used to transfer stolen funds through instant exchanges. In February 2025, breach logs from the BlackBasta ransomware group also referenced AMLBot as a recommended platform to check flagged addresses.

Cybercrime researcher Krebs previously reported that AMLBot clients included Antinalysis, a tool created by darknet group “Incognito” to check addresses for risks of being flagged.

Despite these allegations, AMLBot maintains that its tools are built for compliance and monitoring. It continues to warn that criminals are growing more sophisticated and are actively exploiting operational delays.