News

Tether multisig freeze not effective; $78.1M lost to hackers – AMLBot

Published

6 hours ago

May 16, 2025

AMLBot notes Tether multisig freeze delay let $78.1M slip to hackers, highlighting a persistent vulnerability despite ongoing security efforts.

In a striking revelation, AMLBot has reported that Tether’s delay in freezing stolen funds has cost $78.1 million in USDT, raising critical questions about the stablecoin’s security protocols.

Tether’s ability to freeze funds has long been considered a significant security feature. From 2014 to 2025, the company successfully froze over $2.5 billion in USDT. However, AMLBot’s analysis highlights a major flaw: the delay in executing these freezes, allowing hackers to exploit the window and abscond with millions. This has inadvertently resulted in more than $70 million in losses.

The primary issue lies in the time it takes to freeze USDT on different blockchains. On TRON, the process can take up to 44 minutes, while on Ethereum, it can extend to an hour. During this period, assets remain transferrable, providing an opportunity for malicious actors to move funds before the freeze is enforced.

Between 2017 and 2022, Tether blocked $31 million in stolen USDT, $160 million linked to three Ethereum addresses, $8.2 million from three Ethereum wallets, and $46 million tied to FTX.

In 2023, Tether immobilized another $1 million on TRON, $873,118 connected to conflicts in Israel and Ukraine, $225 million related to Southeast Asian human trafficking, and $435 million from 326 wallets flagged by U.S. authorities.

In 2024, Tether further restricted $1.86 billion from 1,850 wallets across 45 countries, including $100 million linked to illegal assets intercepted by the T3 Financial Crime Unit, $9 million from a pig butchering scam, and $1.4 million tied to a tech support fraud.

By 2025, three major freezing operations were conducted: $23 million associated with the sanctioned Russian exchange Garantex, $601,798 from four TRON addresses, and $870,000 connected to phishing and theft.

Lag in time between initiation of freeze and actual freeze

The primary reason for the delay is Tether’s use of a multisig system to execute freezes. Once a freeze request is initiated, it must go through several steps. Initially, a request is proposed on-chain. After internal review and approval, the execution phase begins, during which the funds are frozen.

However, this protocol introduces a vulnerability. During the lag between the request and its confirmation, the wallet in question remains active. An incident cited in the report details how a wallet, blacklisted by Tether, experienced a delay of up to 44 minutes before the freeze took effect. During this time, the wallet held $426,183 in USDT, which could be transferred at will.

A similar incident on Ethereum revealed nearly an hour of vulnerability before the funds were effectively frozen. This gap allows anyone with access to the compromised wallet to transfer funds before they are locked.

The TRON blockchain, in particular, has been exploited due to the lag in freezing assets. AMLBot’s analysis found that during these delay periods, approximately $49.6 million was withdrawn from TRON-based wallets before being officially blacklisted. A total of 170 out of 3,480 wallets on TRON utilized this loophole to move assets.

This situation exposes a critical flaw in the protocol. Once a freeze is suggested, it becomes visible on-chain, signaling to hackers that they have a limited window to transfer funds. Until the freeze is confirmed, the affected wallet remains fully operational, effectively defeating the purpose of an immediate freeze.

“This workflow was likely implemented to improve internal governance and reduce the risk of unilateral actions. However, it introduces a race condition: once a freeze is suggested, it’s visible on-chain, and until it’s confirmed, the target wallet remains fully functional.”
AMLbot

The dangers

AMLBot’s report warns that Tether’s current freezing protocol could jeopardize the largest stablecoin provider. With over $150 billion in circulation as of May 2025, Tether’s vulnerability makes it an attractive target for criminal exploitation.

The issue lies in balancing on-chain transparency and security. While Tether’s protocol aims to maintain accountability, it inadvertently facilitates theft by revealing freeze requests before they are enacted. Hackers can take advantage of this transparency to quickly move stolen assets, undermining the intended protection.

AMLBot also points out that the very feature designed to demonstrate compliance and regulatory control could backfire if not promptly revised. The current setup essentially creates a race condition where the public nature of the freeze request inadvertently signals to malicious actors.