Only under a timely, collaborative, and technologically mature AML/CFT system can the legitimacy and security of the stablecoin ecosystem be truly guaranteed.
Author: BlockSec
0. Introduction
Stablecoins have developed rapidly in recent years. With their widespread application, regulators are increasingly emphasizing the establishment of mechanisms to freeze illegal funds. We have observed that mainstream stablecoins such as USDT and USDC already possess this capability technically. In practice, there have been multiple cases indicating that these mechanisms have indeed played a role in combating money laundering and other illegal financial activities.
Furthermore, our research shows that stablecoins are not only used for money laundering but also frequently appear in the financing processes of terrorist organizations. Therefore, this article analyzes from two perspectives:
A systematic review of the freezing actions of USDT blacklisted addresses;
Exploring the connection between frozen funds and terrorist financing.
This report is based on publicly available on-chain data for analysis and may contain inaccuracies or omissions. If you have suggestions or corrections, please contact us at: contact@blocksec.com.
- Analysis of USDT Blacklisted Addresses
We identified and tracked Tether blacklisted addresses through on-chain event monitoring. The analysis method has been verified through the Tether smart contract source code. The core logic is as follows:
Event Identification: The Tether contract maintains the blacklist status through two events:
AddedBlackList: New blacklisted addressRemovedBlackList: Removed blacklisted address
Dataset Construction: For each blacklisted address, we record the following fields:
The address itself
The time the address was blacklisted (blacklisted_at)
If the address is removed from the blacklist, the time of removal is recorded (unblacklisted_at)
The following is the implementation of the relevant functions in the contract:
- function addBlackList(address _evilUser) public onlyOwner {
1.1 Key Findings
Based on Tether data on the Ethereum and Tron chains, we found the following trends:
Since January 1, 2016, a total of 5,188 addresses have been blacklisted, involving frozen funds exceeding $2.9 billion.
During the period from June 13 to June 30, 2025, 151 addresses were blacklisted, of which 90.07% came from the Tron chain (the address list can be found in the appendix), with frozen amounts reaching $86.34 million. The time distribution of blacklisting events peaked on June 15, 20, and 25, with June 20 seeing a single-day high of 63 blacklisted addresses.
Distribution of Frozen Amounts: The top ten addresses account for a total frozen amount of $53.45 million, which is 61.91% of the total frozen amount. The average frozen amount is $571,800, but the median is only $40,000, indicating that a small number of large addresses inflate the overall average, while the vast majority of addresses have smaller frozen amounts.
Lifecycle Fund Distribution: These addresses have cumulatively received $808 million, of which $721 million was transferred out before being blacklisted, leaving only $86.34 million actually frozen. This indicates that most funds were successfully transferred before regulatory intervention. Additionally, 17% of the addresses had no outgoing transaction records, possibly serving as temporary storage or fund aggregation points, warranting further attention.
Newly Created Addresses More Likely to be Blacklisted: 41% of blacklisted addresses were created less than 30 days ago, 27% existed for 91–365 days, and only 3% had been in use for over 2 years, indicating that new addresses are more likely to be used for illegal activities.
Most Addresses Achieve "Escape Before Freezing": About 54% of addresses had transferred out over 90% of their funds before being blacklisted, and another 10% had a balance of 0 at the time of freezing, indicating that law enforcement actions mostly only freeze the residual value of funds.
#### New Addresses Have Higher Money Laundering Efficiency: Through the FlowRatio vs. DaysActive scatter plot, we found that new addresses excel in terms of quantity, blacklisting frequency, and transfer efficiency, achieving the highest success rate in money laundering.
1.2 Fund Flow Tracking
Using BlockSec's on-chain tracking tool MetaSleuth (https://metasleuth.io), we further analyzed the fund movements of the 151 USDT addresses blacklisted between June 13 and June 30, identifying the main sources and destinations of the funds.
1.2.1 Fund Source Analysis
Internal Contamination (91 addresses): The funds of these addresses come from other already blacklisted addresses, indicating a highly interconnected money laundering network.
Phishing Labels (37 addresses): Many upstream addresses are marked as "Fake Phishing" in MetaSleuth, possibly deceptive labels to obscure illegal sources.
https://metasleuth.io/result/tron/THpNSa3BMNPPzVNTPZ6aTmRsVzGR6uRmma?source=26599be9-c3a9-42a6-a2ae-b6de72418003
Exchange Hot Wallets (34 addresses): Fund sources include hot wallets from exchanges such as Binance (20), OKX (7), and MEXC (7), possibly related to stolen accounts or "mule accounts."
Single Major Distributors (35 addresses): The same blacklisted address appears multiple times as an upstream source, possibly acting as an aggregator or mixer for fund distribution.
Cross-Chain Bridge Entry (2 addresses): Some funds originate from cross-chain bridges, indicating cross-chain money laundering operations.
1.2.2 Fund Destination Analysis
Flow to Other Blacklisted Addresses (54): There is an "internal loop chain" structure among blacklisted addresses.
Flow to Centralized Exchanges (41): These addresses transfer funds to recharge addresses of CEXs such as Binance (30) and Bybit (7), achieving an "exit."
Flow to Cross-Chain Bridges (12): This indicates that some funds attempt to escape the Tron ecosystem and continue cross-chain money laundering.
https://metasleuth.io/result/tron/TBqeWc1apWjp5hRUrQ9cy8vBtTZSSnqBoY?source=ddea74a3-fb52-4203-846a-c7be07fbb78d
It is noteworthy that Binance and OKX appear on both the inflow (hot wallets) and outflow (recharge addresses) sides, further highlighting their core position in the funding chain. The current insufficient execution of AML/CFT by exchanges and the lag in asset freezing may allow criminals to complete asset transfers before regulatory intervention.
We recommend that major cryptocurrency trading platforms, as core channels for funds, strengthen real-time monitoring and risk interception mechanisms to prevent issues before they arise.
https://metasleuth.io/result/tron/TFjqBgossxvtfrivgd6mFVhZ1tLqqyfZe9?source=7ba5d0da-d5b5-41ab-b54c-d784fb57f079
2. Terrorist Financing Analysis
To further understand the use of USDT in terrorist financing, we analyzed the Administrative Seizure Orders issued by Israel's National Bureau for Counter Terror Financing (NBCTF). Although the single data source we used may not provide a complete picture, it serves as a representative sample for a conservative analysis and estimation of USDT's involvement in terrorist transactions.
2.1 Key Findings
Timing of Issuance: Since the escalation of the Israel-Iran conflict on June 13, 2025, only one new seizure order has been issued (on June 26). The previous document was dated June 8, indicating a lag in law enforcement response during periods of geopolitical tension.
Target Organizations: Since the outbreak of conflict on October 7, 2024, the NBCTF has issued a total of 8 seizure orders, 4 of which explicitly mention "Hamas," while the latest one is the first to mention "Iran."
Addresses and Assets Involved in Seizure Orders:
76 USDT (Tron) addresses
16 BTC addresses
2 Ethereum addresses
641 Binance accounts
8 OKX accounts
Our on-chain tracking of the 76 USDT (Tron) addresses reveals two behavioral patterns of Tether in response to these official directives:
Proactive Freezing: Tether had already blacklisted 17 Hamas-related addresses before the issuance of the seizure order, an average of 28 days in advance, with the earliest being 45 days in advance.
Rapid Response: For the remaining addresses, Tether completed the freezing in an average of only 2.1 days after the announcement of the seizure order, demonstrating good cooperation with law enforcement.
These signs indicate a close, even proactive cooperation mechanism between Tether and certain national law enforcement agencies.
3. Summary and Challenges Facing AML/CFT
Our research shows that while stablecoins like USDT provide technical means for transaction controllability, AML/CFT still faces the following challenges in practice:
3.1 Core Challenges
Lagging Law Enforcement vs. Proactive Prevention: Most law enforcement actions currently rely on post-event processing, leaving space for criminals to transfer assets.
Regulatory Blind Spots in Exchanges: Centralized exchanges, as hubs for capital inflow and outflow, often lack sufficient monitoring, making it difficult to identify abnormal behavior in a timely manner.
Increasing Complexity of Cross-Chain Money Laundering: The use of multi-chain ecosystems and cross-chain bridges makes fund transfers more covert, significantly increasing the difficulty of regulatory tracking.
3.2 Recommendations
We recommend that stablecoin issuers, exchanges, and regulatory agencies:
Strengthen on-chain intelligence sharing;
Invest in real-time behavioral analysis technology;
Establish a cross-chain compliance framework.
Only under a timely, collaborative, and technologically mature AML/CFT system can the legitimacy and security of the stablecoin ecosystem be truly guaranteed.
4. BlockSec's Efforts
At BlockSec, we are committed to promoting the security and compliance of the cryptocurrency industry, focusing on providing actionable on-chain solutions for AML and CFT. We have launched two key products:
4.1 Phalcon Compliance
Designed for exchanges, regulatory agencies, payment projects, and DEXs, it supports:
Multi-chain address risk scoring
Real-time transaction monitoring
Blacklist identification and alerts
Helping users meet increasingly stringent compliance requirements.
4.2 MetaSleuth
Our visual on-chain tracking platform has been adopted by over 20 regulatory and law enforcement agencies worldwide. It supports:
Visual fund tracking
Multi-chain address profiling
Complex path reconstruction and analysis
These two tools embody our mission—to safeguard the order and security of decentralized financial systems.
Addresses mentioned in the text:
https://docs.google.com/spreadsheets/d/1pz7SPTY2J4S7rGMiq6Dzi2Q5p0fXSGKzl9QF2PiV6Gw/edit?usp=sharing
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
