introduction
Stablecoins have developed rapidly in recent years. With their widespread use, regulators have increasingly emphasized the establishment of a mechanism to freeze illegal funds. We have observed that mainstream stablecoins such as USDT and USDC already have this capability technically. In practice, there have been multiple cases showing that these mechanisms have indeed played a role in combating money laundering and other illegal financial activities.
Furthermore, our research shows that stablecoins are not only used for money laundering, but also frequently appear in the financing process of terrorist organizations . Therefore, this article analyzes from two perspectives:
Systematically review the freezing behavior of USDT blacklisted addresses;
Explore the connection between frozen funds and terrorist financing.
1. Analysis of USDT blacklist addresses
We identify and track Tether blacklisted addresses through on-chain event monitoring. The analysis method has been verified by the Tether smart contract source code. The core logic is as follows:
Event Identification:
The Tether contract maintains the blacklist status through two events:
AddedBlackList: Added blacklist addressRemovedBlackList: Remove blacklist addressesDataset construction:
We record the following fields for each blacklisted address:
The address itself
Blacklisted_at
If the address is removed from the blacklist, the release time (unblacklisted_at) is recorded
The following is the implementation of relevant functions in the contract:
1.1 Core Findings
Based on the Tether data on Ethereum and Tron, we found the following trends:
Since January 1, 2016, a total of 5,188 addresses have been blacklisted, involving frozen funds of more than $2.9 billion .
From June 13 to 30, 2025 alone, 151 addresses were blacklisted, of which 90.07% were from the Tron chain (see the appendix for the address list), with a frozen amount of up to $86.34 million . Time distribution of blacklist events: June 15, 20, and 25 were the peak days for blacklisting, with 63 blacklisted addresses on June 20 alone.
Distribution of frozen amount: The top ten addresses in terms of amount have frozen a total of 53.45 million USD , accounting for 61.91% of the total frozen amount. The average frozen amount is 571,800 USD , but the median is only 40,000 USD , indicating that a small number of large addresses have raised the overall average, and the vast majority of addresses have frozen amounts that are relatively small.
Lifecycle fund distribution: These addresses received a total of $808 million, of which $721 million had been transferred out before being blacklisted, and only $86.34 million was actually frozen. This shows that most of the funds had been successfully transferred before regulatory intervention. In addition, 17% of the addresses have no withdrawal records at all, which may be used as temporary storage or fund aggregation points, which deserves further attention.
Newly created addresses are more likely to be blacklisted: 41% of blacklisted addresses were created less than 30 days ago, 27% were in existence for 91–365 days, and only 3% were used for more than 2 years, indicating that new addresses are more likely to be used for illegal activities.
Most addresses achieved “escape before freezing”: about 54% of the addresses had transferred out more than 90% of their funds before being blacklisted, and another 10% had a balance of 0 when frozen, indicating that most law enforcement actions can only freeze the residual value of funds.
New addresses are more efficient in money laundering: Through the FlowRatio vs. DaysActive scatter plot, we found that new addresses performed outstandingly in terms of quantity, blacklisting frequency, and transfer efficiency, and had the highest money laundering success rate.
1.2 Tracking the flow of funds
Using BlockSec’s on-chain tracking tool MetaSleuth (https://metasleuth.io) , we further analyzed the fund flows of the 151 USDT addresses that were blacklisted between June 13 and 30, and identified the main sources and destinations of funds.
1.2.1 Analysis of funding sources
Internal Contamination (91 addresses) : Funds from these addresses come from other blacklisted addresses, indicating the existence of a highly interconnected money laundering network.
Phishing tags (37 addresses) : Many upstream addresses are marked as “Fake Phishing” in MetaSleuth, which may be deceptive tags to conceal illegitimate sources.
https://metasleuth.io/result/tron/THpNSa3BMNPPzVNTPZ6aTmRsVzGR6uRmma?source=26599be9-c3a9-42a6-a2ae-b6de72418003
Exchange hot wallets (34 addresses) : The sources of funds include hot wallets of exchanges such as Binance (20), OKX (7), and MEXC (7), which may be related to stolen accounts or "mule accounts".
Single major distributor (35 addresses) : The same blacklisted address is used as upstream multiple times, possibly as an aggregator or mixer to distribute funds.
Cross-chain bridge entry (2 addresses) : Part of the funds come from the cross-chain bridge, indicating the existence of cross-chain money laundering operations.
1.2.2 Analysis of fund destination
Flow to other blacklisted addresses (54) : There is an "internal loop chain" structure between the blacklisted addresses.
Flowing to centralized exchanges (41) : These addresses transfer funds to the recharge addresses of CEXs such as Binance (30) and Bybit (7) to achieve "getting off the bus".
Flowing to cross-chain bridges (12) : This indicates that some funds are trying to escape the Tron ecosystem and continue to launder money across chains.
https://metasleuth.io/result/tron/TBqeWc1apWjp5hRUrQ9cy8vBtTZSSnqBoY?source=ddea74a3-fb52-4203-846a-c7be07fbb78d
It is worth noting that Binance and OKX appear at both ends of the capital inflow (hot wallet) and outflow (recharge address) , further highlighting their core position in the capital chain. The current inadequate implementation of AML/CFT by exchanges and delayed asset freezing may allow criminals to complete asset transfers before regulatory intervention.
We recommend that major crypto trading platforms, as core channels for funds, should strengthen real-time monitoring and risk interception mechanisms to prevent risks before they occur.
https://metasleuth.io/result/tron/TFjqBgossxvtfrivgd6mFVhZ1tLqqyfZe9?source=7ba5d0da-d5b5-41ab-b54c-d784fb57f079
2. Terrorist Financing Analysis
To further understand the use of USDT in terrorist financing, we analyzed the Administrative Seizure Orders issued by the National Counter-Terrorism Financing Bureau (NBCTF) of Israel. Although the single data source we used is difficult to restore the full picture, it is used as a representative sample to evaluate the conservative analysis and estimation of USDT-related terrorist transactions.
2.1 Core Findings
Release time : Since the escalation of the Israel-Iran conflict on June 13, 2025, only one new seizure order has been issued (June 26). The previous document was on June 8, showing a lag in law enforcement response during periods of geopolitical tension.
Targeted organizations : Since the conflict broke out on October 7, 2024, the NBCTF has issued a total of 8 seizure orders, 4 of which explicitly mentioned "Hamas", while the latest one mentioned "Iran" for the first time.
Addresses and assets covered by the seizure order :
76 USDT (Tron) addresses
16 BTC addresses
2 Ethereum addresses
641 Binance accounts
8 OKX accounts
Our on-chain tracking of 76 USDT (Tron) addresses reveals two patterns of behavior by Tether in response to these official directives:
Active freezing : Tether blacklisted 17 of the Hamas-related addresses before the seizure order was issued, an average of 28 days in advance , and the earliest as early as 45 days in advance.
Quick response : For the remaining addresses, Tether completed the freezing in an average of only 2.1 days after the seizure order was issued, demonstrating good law enforcement cooperation capabilities.
These signs indicate that there is a close and even proactive cooperation mechanism between Tether and law enforcement agencies in some countries.
3. Summary and challenges faced by AML/CFT
Our research shows that although stablecoins such as USDT provide technical means for transaction controllability, AML/CFT still faces the following challenges in practice:
3.1 Core Challenges
Delayed law enforcement vs. proactive prevention and control : Currently, most law enforcement actions still rely on post-event processing, leaving room for criminals to transfer assets.
Regulatory blind spots of exchanges : Centralized exchanges, as hubs for inflows and outflows, often have insufficient monitoring and find it difficult to identify abnormal behavior in a timely manner.
Cross-chain money laundering becomes increasingly complex : the use of multi-chain ecosystems and cross-chain bridges makes fund transfers more covert and makes regulatory tracking more difficult.
3.2 Recommendations
We recommend that stablecoin issuers, exchanges, and regulators:
Strengthen on-chain intelligence sharing;
Invest in real-time behavioral analytics technology;
Establish a cross-chain compliance framework.
Only under a timely, coordinated, and technologically mature AML/CFT system can the legitimacy and security of the stablecoin ecosystem be truly guaranteed.
4. BlockSec’s Efforts
At BlockSec, we are committed to promoting security and compliance in the crypto industry, focusing on providing practical and actionable on-chain solutions for AML and CFT. We have launched two key products:
4.1 Phalcon Compliance
Designed for exchanges, regulators, payment projects and DEXs, it supports:
Multichain Address Risk Scoring
Real-time transaction monitoring
Blacklist identification and alerting
Help users meet increasingly stringent compliance requirements.
4.2 MetaSleuth
Our visual on-chain tracking platform has been adopted by more than 20 regulatory and law enforcement agencies around the world. It supports:
Visual money tracking
Multi-chain address portrait
Complex path restoration and analysis
Together, these two tools embody our mission to protect the order and security of the decentralized financial system.
