$3M USDT FROZEN
IN 48 HOURS
Our Case. Episode 1
The theft of 3M USDT and a Tether freeze within 48 hours: the power of rapid tagging
In one of our recent cases, a client from the CIS had the seed phrase of their wallet compromised. Nearly 3 million USDT were stored on that wallet. The attacker immediately moved the funds to two newly created addresses. In situations like this, time usually works against the victim — but in this case, everything changed thanks to a fast response from both the client and our team.
We quickly initiated AML tagging across key analytics systems so the attacker’s addresses would be marked as stolen assets. At the same time, we prepared a documentation package for law enforcement, and the official request to Tether was sent the very same day.
Both factors — tagging and legal grounds — turned out to be decisive.
In less than 48 hours, Tether froze both addresses at the smart-contract level. The funds are now in the process of being reissued to the rightful owner.
What this case shows
Rapid tagging is not a formality or a secondary step. For issuers and services, it’s a clear signal that the assets are stolen. Combined with a fast legal request, it creates a window in which a freeze is still possible.
The main takeaway is simple: the speed of response and the visibility of stolen assets in analytics are critical factors that make it possible to stop the movement of funds before the attacker has time to “wash them away.”
The theft of 3M USDT and a Tether freeze within 48 hours: the power of rapid tagging
In one of our recent cases, a client from the CIS had the seed phrase of their wallet compromised. Nearly 3 million USDT were stored on that wallet. The attacker immediately moved the funds to two newly created addresses. In situations like this, time usually works against the victim — but in this case, everything changed thanks to a fast response from both the client and our team.
We quickly initiated AML tagging across key analytics systems so the attacker’s addresses would be marked as stolen assets. At the same time, we prepared a documentation package for law enforcement, and the official request to Tether was sent the very same day.
Both factors — tagging and legal grounds — turned out to be decisive.
In less than 48 hours, Tether froze both addresses at the smart-contract level. The funds are now in the process of being reissued to the rightful owner.
What this case shows
Rapid tagging is not a formality or a secondary step. For issuers and services, it’s a clear signal that the assets are stolen. Combined with a fast legal request, it creates a window in which a freeze is still possible.
The main takeaway is simple: the speed of response and the visibility of stolen assets in analytics are critical factors that make it possible to stop the movement of funds before the attacker has time to “wash them away.”
Blog