Criminal Use of Cryptocurrency and Digital Forensics in Cybercrime Investigations
Cybercriminals increasingly leverage cryptocurrencies for illicit activities such as ransomware payments, data theft extortion, sale of network access, and the resale of credentials and exploits. The pseudonymity, global reach, speed, and irreversibility of cryptocurrency transactions make them attractive for threat actors, requiring defenders to blend advanced technical skills with traditional investigative techniques. Security professionals are advised to understand both the technical mechanisms of cryptocurrency and the investigative approaches needed to trace and counter these criminal activities, as highlighted in specialized training sessions and threat intelligence research.
To effectively investigate and respond to cybercrime involving cryptocurrencies and other digital evidence, organizations rely on a suite of digital forensics tools. These tools, such as Cellebrite for mobile device analysis and Magnet Axiom for comprehensive computer forensics, enable incident response teams to uncover, analyze, and interpret digital evidence, track attacker movement, and understand adversary tactics, techniques, and procedures. Modern enhancements, including cloud-based collaboration and AI-powered analysis, further support investigators in reducing case review time and detecting sophisticated modifications, such as AI-altered images.
Timeline
Dec 23, 2025
Story first reported
Initial story creation
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Criminal Use and Seizure of Cryptocurrency Assets
Illicit actors continue to hold and move significant amounts of cryptocurrency, with on-chain balances linked to criminal activity now exceeding $75 billion. According to blockchain analytics, nearly $15 billion is directly held by entities identified as illicit, with stolen funds representing the largest share of these holdings. Downstream wallets, which have received more than 10% of their inflows from illicit sources, collectively hold over $60 billion, indicating that the reach of criminal proceeds extends far beyond the original perpetrators. Darknet market administrators and vendors alone control over $40 billion in on-chain value, highlighting the scale of underground digital economies. Bitcoin remains the dominant cryptocurrency among illicit balances, accounting for 75% of the total, though stablecoins and ether have seen substantial growth in criminal usage. The concentration of these funds is typically high, with a small number of wallets holding the majority of assets. Illicit actors are adapting their laundering techniques, increasingly using more cashout addresses for shorter periods to evade detection. Direct transfers from illicit entities to exchanges have dropped significantly, from about 40% of quarterly value in 2021–2022 to just 15% in Q2 2025, reflecting changes in both enforcement and criminal tactics. Law enforcement agencies, particularly in the United States, are responding by establishing strategic reserves and stockpiles of seized digital assets, and have already confiscated over $12.6 billion in illicit funds with the help of blockchain analytics firms. The timing of enforcement actions varies, with market-based illicit services tending to operate longer before being disrupted. Once illicit entities stop receiving funds, the speed at which they empty their wallets depends on the type of cryptocurrency held. Meanwhile, specific high-profile incidents continue to occur, such as the $21 million theft from SBI Crypto, a subsidiary of Japan's SBI Group. In this case, hackers stole a variety of cryptocurrencies, including bitcoin, ethereum, litecoin, dogecoin, and bitcoin cash, and laundered the proceeds through Tornado Cash, a mixing service favored by cybercriminals. Investigators noted that the tactics and laundering patterns in the SBI Crypto heist closely resembled those used by North Korean hacking groups, suggesting a possible link to Pyongyang's ongoing campaign to finance illicit activities through digital asset theft. The SBI Crypto incident is part of a broader trend, with North Korean threat actors reportedly stealing a record $2 billion in cryptocurrency so far this year. These developments underscore the persistent threat posed by sophisticated cybercriminals and nation-state actors in the cryptocurrency ecosystem, as well as the evolving strategies of both criminals and law enforcement in the battle over digital assets. The growing landscape of seizable crypto assets presents both a challenge and an opportunity for authorities seeking to disrupt illicit financial flows. As criminals refine their methods, the need for advanced analytics and coordinated international enforcement becomes increasingly critical. The ongoing arms race between cybercriminals and law enforcement is likely to shape the future of digital asset security and regulation.
1 months ago
Major Cryptocurrency-Related Cybercrime Prosecutions and Asset Seizures
Law enforcement agencies in multiple countries have made significant progress in prosecuting individuals and groups involved in large-scale cryptocurrency-related cybercrimes. In the United States, a California man pleaded guilty to laundering at least $25 million as part of a group that stole $230 million in cryptocurrency through social engineering and account takeovers. The group, composed of young adults from several states and abroad, used various tactics to compromise victims' crypto accounts and launder the proceeds, with several members facing charges including wire fraud, racketeering, and money laundering. In the United Kingdom, prosecutors secured a civil recovery order to seize over £4.11 million ($5.39 million) in crypto assets from Joseph James O'Connor, who was convicted for his role in the 2020 Twitter mega-hack. O'Connor and his associates used SIM-swapping and social engineering to hijack high-profile Twitter accounts, soliciting Bitcoin from followers and amassing illicit gains. These actions demonstrate the increasing effectiveness of international law enforcement in tracing, prosecuting, and recovering assets from cybercriminals who exploit cryptocurrency for large-scale fraud and theft.
1 months ago
Record Surge in Crypto Crime and Nation-State Sanctions Evasion via Blockchain
Illicit cryptocurrency activity reached unprecedented levels in 2025, with at least $154 billion in crypto flowing to addresses linked to criminal activity, according to Chainalysis. This surge was primarily driven by a dramatic increase in transactions involving sanctioned entities, which saw a 694% year-over-year rise. Nation-states have become increasingly involved, leveraging both established criminal infrastructure and developing their own on-chain systems to evade sanctions at scale. The professionalization of the illicit crypto ecosystem now enables transnational criminal networks and governments to launder funds and procure goods and services more efficiently, raising the stakes for both consumer protection and national security. Concurrently, global fraud has evolved into a strategic tool for both organized crime and hostile states, integrating advanced technical tactics such as bot farms, malware, and cryptocurrencies. Governments and private sector organizations are responding by forming international task forces to address the industrialization of fraud, which now rivals the GDP of major economies. North Korea and other pariah states are specifically cited for weaponizing cyber-enabled fraud networks to circumvent sanctions and generate revenue, further blurring the lines between traditional financial crime and cyberwarfare. The convergence of nation-state actors and criminal syndicates in the crypto space underscores the urgent need for coordinated global action to counter these threats.
1 months ago