A recent AMLBot investigation found a significant lag in freezing malicious wallets containing Tether’s USDT stablecoin on blockchain, which has led to significant financial losses on Ethereum and Tron networks for the last few years.
The report identifies in what ways criminals have been taking advantage of this lag to transfer funds ahead of enforcement. AMLBot clarified that the issue lies in the fact that Tether utilizes multi-signature contracts for freezing decisions.
A freeze request requires numerous approvals before it can be carried out on-chain. This makes it leave a brief moment when the wallet stays active. It is within this crucial lag that malicious players find it easy to transfer funds without being halted by the system.
According to AMLBot’s data, criminals took advantage of this time window to steal $78.1 million using the loophole. Of this amount, $49.6 million vanished through the Tron network, while $28.5 million disappeared on Ethereum. Some wallets managed to complete up to three separate transactions during the short freeze delay.
Tether Tron freeze delay enables transfers
A specific example in the report showed that on Tron, there was a 44-minute delay between a freeze request and its actual implementation. This delay offered enough time for criminals to transfer their assets before any restrictions came into effect.
AMLBot opines that malicious players have even developed real-time freeze attempts detection tools, which are automated. The tools monitor blockchain activity and alert criminals instantaneously before the occurrence of the freeze. This tactic allows them to have an important advantage to act first before they lose control over the funds.
AMLBot’s CEO stated that these tools likely track specific contract interactions on-chain to provide instant alerts. Though the tools have not been directly seen, behavioral patterns suggest automation is likely involved in these transactions.
Security company PeckShield reviewed AMLBot’s analysis and confirmed the issue as an operation lag. They suggested improving the procedure by combining freeze requests and required signatures under one transaction. This would close the temporal hole being used by nefarious users.
