News 
May 15, 2025 
5 min. 
According to a recent AMLBot report, delays in the fund-freezing process of USDT issuer Tether have allowed malicious actors to exploit the system, enabling the transfer of over 78 million USDT across the Ethereum and Tron networks since 2017.
Freeze Protocol Flaws Leave Exploitable Gaps
Blockchain forensics firm AMLBot identified a major vulnerability in Tether’s freeze mechanism. The blacklisting process, which targets wallets involved in criminal activity, relies on a multi-signature approval system that introduces execution delays. This delay creates a critical window during which transactions can still go through.
AMLBot observed that during these windows, malicious wallets moved funds before restrictions took effect. The firm called this delay a “critical window” frequently exploited by cybercriminals.
Blockchain security firm PeckShield confirmed the delay but attributed it to operational workflows rather than flaws in the smart contract. “The issue lies in the lag between submitting a blacklist request and executing it,” a PeckShield representative said.
Over $78 Million Exploited via Tron and Ethereum
AMLBot’s investigation found that criminals funneled approximately $49.6 million through Tron and $28.5 million via Ethereum by exploiting freeze delays. In one Tron case, a 44-minute delay between initiating and executing a freeze allowed a wallet to complete three transactions before enforcement.
The report revealed that 4.88% of all blacklisted Tron wallets took advantage of this delay. Ethereum wallets showed fewer incidents but still benefitted from the lag. Overall, since 2017, cybercriminals have exploited this loophole to move over $78.1 million in USDT.
- Unlock Europe’s Top Crypto Exchange — Trade Smarter, Faster, Safer Today!
AMLBot suspects that attackers are using automated tools to monitor smart contract activity for freeze-related functions. These tools likely alert wallet owners in real-time, enabling them to transfer funds before enforcement begins.
Rising Concerns and Industry Response
Tether, which issues the world’s largest stablecoin, regularly freezes tokens tied to illicit activity. After the $1.4 billion Bybit hack, linked to North Korea’s Lazarus Group, Tether froze relevant wallet addresses, preventing the transfer or liquidation of stolen funds. German authorities also recovered $38 million related to the same breach.
PeckShield highlighted that while multi-signature wallets enhance security, they introduce delays during urgent actions. The firm recommended Tether consolidate freeze requests and signatures into a single on-chain transaction to minimize lag.
Slava Demchuk, CEO of AMLBot, noted that bots could monitor contract functions like submitTransaction() to detect freeze requests in real time. While AMLBot hasn’t directly detected these bots, Demchuk said blockchain behavior strongly suggests automated involvement.
To bolster its compliance efforts, Tether recently partnered with Chainalysis. The collaboration will integrate Chainalysis’ monitoring tools into Tether’s Hadron platform, which supports the tokenization of real-world assets.
AMLBot Faces Scrutiny for Alleged Misuse
While AMLBot exposes vulnerabilities in others, it now faces scrutiny itself. Blockchain analyst ZachXBT accused AMLBot of enabling misuse. He referenced the August 2024 theft of $243 million from Genesis creditors, where attackers reportedly used AMLBot to move stolen funds through instant exchanges.
In a separate incident, ransomware gang BlackBasta mentioned AMLBot in logs as a tool to check wallet blacklist status. Cybersecurity journalist Brian Krebs also reported that users of the darknet tool Antinalysis relied on AMLBot to assess traceability.
AMLBot denies these allegations and insists its services are designed strictly for legal compliance and blockchain monitoring. The firm continues to warn that criminals are rapidly adapting and exploiting security timing gaps across blockchain systems.
