USDT and USDC Freezing Requests: Evidence Packet Checklist for Counsel

USDT and USDC are not bearer assets. Tether Ltd (USDT issuer) and Circle Internet Financial (USDC issuer) retain the ability to blacklist addresses on their respective issuer contracts; once blacklisted, those tokens become unspendable for the holder. The blacklisted balance is preserved in place, frozen in the technical sense — the attacker cannot transfer them, swap them, or off-ramp them.

In practice this means: when stolen funds are sitting in stablecoin form anywhere on a supported chain, a well-formed freezing request to the issuer is often faster than waiting for a VASP subpoena response. Tether published in 2024 that it had frozen over $2.5B cumulative since inception across law-enforcement requests; Circle has similar (smaller) public reporting. For pig-butchering, large theft, and ransom cases, freezing has recovered nine-figure totals globally in the past two years and represents the single highest-leverage tool in the early-hours of a stablecoin-routed incident.

The freezing channel runs in parallel with the VASP subpoena channel — they don't compete. A typical 5CIP recovery sequence runs both simultaneously: VASP subpoena targets the off-ramp counterparty for identity and customer-funds recovery; issuer freeze targets the in-flight stablecoin balances regardless of which address they currently sit in.

Coverage of the issuer-level freeze capability differs by stablecoin and chain. Use the correct token contract address for the chain — this is the #1 reason freeze requests get bounced.

• USDT (Tether): Freezable on Ethereum, Tron, BSC, Polygon, Avalanche, Arbitrum, Optimism, Solana, Algorand, EOS, Liquid, and (since 2024) Aptos. Tether has blacklist enforcement on all of these. Each chain has a different USDT contract — Ethereum is 0xdAC17F95...831ec7, Tron is TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t, BSC is 0x55d398...82955, Solana is Es9vMFrz...uM4DSfTd.
• USDC (Circle): Freeze/burn capable on Ethereum, Solana, Algorand, Polygon, Avalanche, Stellar, Arbitrum, Optimism, Base, NEAR, Noble (Cosmos), Hedera, Polygon zkEVM, Sui. Circle uses CENTRE's blacklist mechanism (the blacklist(address) function on the issuer contract).
• DAI: NOT freezable. MakerDAO does not have a blacklist function on the DAI contract by design. Stolen DAI cannot be issuer-frozen — recovery requires VASP subpoena or other channels.
• FRAX: NOT freezable. Algorithmic / partial-collateral; no issuer blacklist.
• TUSD (TrustToken): Freezable; smaller compliance team but responsive to LE requests.
• GUSD (Gemini Dollar): Freezable; Gemini's compliance team handles requests directly.
• BUSD (Paxos): Freezable but stopped minting Feb 2023; legacy balances may still be subject to freeze.
• PYUSD (PayPal): Freezable via Paxos as issuer.
• USDe (Ethena): Freeze capability exists but rarely invoked; engage via Ethena compliance.
• WBTC (wrapped BTC): Custodian (BitGo) can freeze the underlying BTC, but the WBTC token itself does not have on-chain blacklist enforcement.

Tether and Circle compliance teams process hundreds of requests per week. The ones that get fast action are the ones formatted to minimize back-and-forth. The required fields:

• Full 66-character TX hashes of every flow into the target address. Partial hashes get bounced. For Tron, the hash is 64 characters; specify the chain explicitly.
• Target address(es) to freeze — full 42-character checksum-cased for EVM chains, 34-character for Tron, base58 for Solana. Multi-address requests are accepted; itemize each.
• Chain identifier — explicit chain name AND chain ID where applicable (ETH=1, BSC=56, Polygon=137, Tron is non-EVM so just "TRON"). Avoid ambiguity — "Polygon" means PoS-Polygon, not zkEVM, unless specified.
• Token contract address for the specific chain (USDT and USDC have different contracts per chain — use the correct one; the wrong contract = freeze request operates on different token).
• Token amount remaining at the time of the request, both raw integer (uint256) and decimal-adjusted (e.g., 5,000,000,000 raw / 5,000.00 USDT). Issuers verify before freezing to ensure the request is still actionable.
• USD value at current rate — used for the compliance team's internal prioritization triage.
• Underlying offense type + jurisdiction where reported + filed police report number. Tether/Circle prioritize requests with active law-enforcement involvement; requests without an LE report number queue significantly slower.
• LE agency contact — name, agency, badge number, email of the officer assigned to the case. Compliance teams will cc this officer when actioning.
• Counsel of record + bar number + jurisdiction. Issuers will not act on requests from non-attorneys without an LE referral.
• Brief narrative (1-2 paragraphs) explaining how the stolen funds reached the target address, with the TX-hash trail as evidence.
• Confidence statement — explicit statement that the target address is attributable to the perpetrator (not a downstream third-party). Mis-attribution leading to freezing of innocent-party funds can create civil liability for the requesting counsel.

• Tether — primary intake at [email protected] for LE requests, [email protected] for counsel-led requests. Tether typically requires the originating LE agency to be on copy. Tether's published "Recovery Tool" portal (T3 partnership with TRM Labs) provides a structured submission form for some jurisdictions.
• Circle — [email protected] for counsel-led requests; a sworn declaration or a court order materially accelerates action. Circle also accepts structured intake via specific LE partnership channels (USSS, FBI, EUROPOL).
• MLAT / agency routing — the agencies operating under MLAT (US DOJ Office of International Affairs, UK NCA, EUROPOL, INTERPOL Crypto Asset Recovery) have direct relationships with the issuers; routing through those agencies is often the fastest path for non-US counsel and produces the strongest evidentiary chain.
• VASP-mediated freeze — when stolen funds have already reached a regulated VASP, requesting the VASP itself to freeze (with parallel issuer notification) is often faster than waiting for issuer action alone. The VASP's freeze is operational immediately; the issuer freeze takes 24-72h.
• T3 Financial Crime Unit (Tether + TRM + Tron) — for Tron-chain USDT specifically, T3 is the dedicated freezing channel established 2024. Faster response window (often under 24h) for cases above material thresholds.

For Tron-routed APAC pig-butchering cases, the T3 channel is the fastest single path and should be invoked in parallel with Tether's standard compliance channel.

• Tether median time-to-freeze on a well-formed LE-backed request: 24-72 hours. T3 channel: often under 24 hours for above-threshold cases.
• Circle median time-to-freeze: 24-72 hours with LE involvement; up to 5-10 business days for counsel-only requests.
• Requests without LE backing can sit for weeks. File the local police report first; attach the report number to the freeze request from the start.
• Freeze is not return. A frozen address has the tokens preserved in place. The issuer holds the asset in a technical sense (the holder cannot move them) but does not automatically return funds to victims. Recovery to victims requires a separate court order directing transfer (rare) or burn-and-reissue to victim (more common for material cases).
• Two-step recovery is the norm: freeze first (preserves the asset, prevents off-ramp), then court order (directs disposition). Plan and budget for both steps from intake.
• Race conditions: in active-laundering windows, attacker may move tokens faster than the issuer can freeze. Forensics + freezing should be set up as a continuous monitoring loop, not a one-shot request, for the first 24-72 hours after detection.

• Wrong token contract address. Using ETH USDT contract on a request that involves Tron USDT = bounce. Always verify the contract per chain.
• Partial TX hashes. "0xabc123..." is not actionable. Always send full 66-character (or 64-character for Tron) hashes.
• Missing police report number. Without an active LE report, requests deprioritize to weeks. File first, attach number, then submit.
• Address typos. A single character change in a 42-character address points to a different account. Use copy-paste only, never retype. Verify checksum-case.
• Stale balance. Requesting freeze of $5M USDT when only $50K remains on the address = compliance team sees the discrepancy and re-verifies, costing 24-48 hours. Re-check the balance immediately before submission and update if it has moved.
• Conflating addresses across chains. Solana addresses are not EVM addresses. Tron addresses start with T, not 0x. Stating "the attacker address 0xabc... on Tron" makes the request unworkable.
• Mass-listing third-party addresses. Freezing addresses that are downstream third parties (DEX pools, bridge contracts, exchange omnibus deposit addresses) does not lock the attacker's funds and freezes innocent users. Compliance teams will refuse the request and may flag counsel.
• No counsel narrative. A bare list of addresses without context gets deprioritized vs the same list with a 2-paragraph narrative explaining the case.
• Forgetting to renew. Freeze orders for some jurisdictions are time-bound. Track expirations and renew before lapse.

The single most serious downside of issuer freezing is freezing the wrong address. Stablecoins routinely flow through addresses controlled by exchanges, market makers, DEXes, bridge custodians, and individual users who are not part of the offense. A freeze on such an address can cause material damages to a third party and create civil liability for the requesting counsel.

5CIP's mitigation protocol before any freeze request:

• Address attribution check. Verify via at least two label sources (MistTrack + Arkham, or Chainalysis + Etherscan tags) that the address is not a known exchange / DEX / bridge / mixer pool / market maker.
• Activity-pattern check. Address with thousands of transactions, multiple inflows from unrelated sources, regular outflows to many recipients = high probability of being a service address, not an attacker-controlled wallet. Such addresses are NOT included in freeze requests even if they appear in the trace.
• Balance-source ratio. If the address contains $10M and the attributed stolen funds are $50K, the freeze would block $9.95M of unrelated funds. The freeze request limits to the attributed amount where issuer process supports partial freezing, or flags the address as "third-party — do not freeze full balance" where it does not.
• Counsel sign-off. Final freeze request is reviewed by counsel of record before submission. 5CIP does not unilaterally submit freeze requests on behalf of a case.

Counsel issuing freeze requests should carry professional liability insurance covering potential mis-freeze claims. The compliance teams at Tether and Circle keep records of which counsel have submitted erroneous requests; a track record of mis-freezes materially slows future requests from the same counsel.

• US-nexus cases: route through FBI / USSS / OFAC depending on the predicate offense. OFAC referral adds a sanctions enforcement angle for DPRK-attributed or Iran/Russia-related cases.
• UK-nexus: NCA Asset Confiscation Enforcement, or City of London Police Action Fraud + intelligence routing.
• EU-nexus: EUROPOL European Cybercrime Centre (EC3); national FIU per member state.
• Hong Kong: HKMA + CCB joint route. Stablecoin issuers respond well to HK process.
• Singapore: STRO (Suspicious Transaction Reporting Office) + Anti-Scam Centre; MAS as licensing authority over local VASPs.
• Other APAC (MY/TH/PH/ID/VN): local FIU + bilateral cooperation with Tether/Circle directly. Less precedent than HK/SG but established.
• Cross-jurisdictional (typical APAC pig-butchering): victim jurisdiction files police report; counsel routes freeze packet through INTERPOL Crypto Asset Recovery initiative or directly to issuers with police-report number from victim jurisdiction. Issuers do not require US-nexus.

The 5CIP per-case packet includes a pre-drafted submission letter formatted for the counsel's jurisdiction and ready to attach to the freeze request, eliminating the back-and-forth that typically slows first-time freeze requests. See the full forensic methodology for how the packet integrates with the rest of the evidence chain. Counsel can open a case at /case-intake; individual victims (not counsel) start at /usdt-scam-recovery.

The freeze and VASP-subpoena tracks should run in parallel, not sequentially. They recover different things:

• Issuer freeze preserves the in-flight stablecoin balance regardless of which address holds it. Covers funds that are still in stablecoin form anywhere on chain.
• VASP subpoena recovers (a) the identity of the off-ramp counterparty, (b) any customer funds the VASP has not yet released, and (c) the bank/PSP records for the fiat off-ramp leg. Does not preserve the on-chain stablecoin balance — that requires the freeze in parallel.
• Tether/Circle issuer freeze + VASP subpoena together cover both the on-chain preservation and the off-ramp identification. Either alone leaves a gap.

The 5CIP report identifies freeze targets and subpoena targets separately, with the recommended sequence and parallel timing. Counsel can prioritize based on the specific case posture (early-detection = freeze first; late-detection = subpoena first since funds likely off-ramped).

• T3 Financial Crime Unit (Tron + Tether + TRM, est. 2024): dedicated channel for Tron-chain USDT freezing; published recovery numbers in nine figures within first year.
• Tether published transparency reports (2023-2025): cumulative blacklist totals, geographic breakdown of LE requests, average response times. Useful precedent for counsel filings.
• Circle's Compliance Engineering team expansion 2024-2025: faster median response, particularly for non-US requests under sufficient process.
• Multiple US criminal forfeitures 2024-2025 included issuer-frozen stablecoins as the seized assets, establishing federal court familiarity with the freeze-then-forfeit pattern.
• Hong Kong High Court orders 2023-2025 against stablecoin destinations: HK courts have ordered Tether to maintain freezes pending civil determination; precedent useful for HK and SG counsel.
• Stablecoin diversification: as USDT/USDC freezes have become more common, sophisticated attackers have shifted away from stablecoin holding mid-laundering toward immediate conversion to BTC/ETH/XMR. This has shrunk the freezing window from hours to minutes for top-tier attackers.