Record Surge in Crypto Crime and Nation-State Sanctions Evasion via Blockchain
Illicit cryptocurrency activity reached unprecedented levels in 2025, with at least $154 billion in crypto flowing to addresses linked to criminal activity, according to Chainalysis. This surge was primarily driven by a dramatic increase in transactions involving sanctioned entities, which saw a 694% year-over-year rise. Nation-states have become increasingly involved, leveraging both established criminal infrastructure and developing their own on-chain systems to evade sanctions at scale. The professionalization of the illicit crypto ecosystem now enables transnational criminal networks and governments to launder funds and procure goods and services more efficiently, raising the stakes for both consumer protection and national security.
Concurrently, global fraud has evolved into a strategic tool for both organized crime and hostile states, integrating advanced technical tactics such as bot farms, malware, and cryptocurrencies. Governments and private sector organizations are responding by forming international task forces to address the industrialization of fraud, which now rivals the GDP of major economies. North Korea and other pariah states are specifically cited for weaponizing cyber-enabled fraud networks to circumvent sanctions and generate revenue, further blurring the lines between traditional financial crime and cyberwarfare. The convergence of nation-state actors and criminal syndicates in the crypto space underscores the urgent need for coordinated global action to counter these threats.
Timeline
Jan 8, 2026
Chainalysis publishes 2026 Crypto Crime Report findings
On January 8, 2026, Chainalysis published findings that 2025 crypto crime hit record highs, highlighting nation-state sanctions evasion, North Korean theft, Russian A7A5 activity, and the growing role of stablecoins and laundering networks.
Jan 6, 2026
ACAMS launches international anti-fraud and technology task force
By January 6, 2026, ACAMS announced a new International Anti-Fraud and Technology Task Force with US and UK government partnership and 40 founding members to coordinate a systemic response to industrialized fraud.
Dec 31, 2025
Chinese laundering networks expand role in global illicit crypto flows
Chainalysis identified Chinese criminal money-laundering networks, especially those operating across Southeast Asia, as major providers of laundering services for a wide range of illicit actors in 2025.
Dec 31, 2025
Stablecoins become dominant in illicit crypto flows
By 2025, stablecoins accounted for 84% of illicit cryptocurrency transaction volume, reflecting their growing use by criminal and sanctioned actors for fast, borderless transfers.
Dec 31, 2025
North Korean actors steal about $2 billion in crypto in 2025
Chainalysis attributed roughly $2 billion in cryptocurrency theft during 2025 to North Korean hackers, underscoring the growing role of nation-states in on-chain crime and sanctions evasion.
Dec 31, 2025
Illicit crypto activity reaches record levels in 2025
Chainalysis reported that illicit cryptocurrency addresses received at least $154 billion in 2025, a 162% year-over-year increase. The surge was driven heavily by a 694% rise in value received by sanctioned entities, while illicit activity still remained under 1% of total crypto volume.
Jan 1, 2025
Russia launches ruble-backed A7A5 token
In 2025, Russia launched the ruble-backed A7A5 token, which Chainalysis said facilitated more than $93 billion in transactions and became a major vehicle for sanctions-evasion-related activity.
Jan 1, 2024
Russia passes legislation enabling crypto-based sanctions evasion
According to Chainalysis reporting cited by Dark Reading, Russia enacted legislation in 2024 that helped enable the use of cryptocurrency infrastructure to evade financial sanctions.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Crypto Sanctions Evasion and Illicit Finance via Digital Assets
New reporting highlighted the growing role of **cryptocurrency in sanctions evasion and illicit finance**, with 2025 seeing a sharp increase in value received by sanctioned entities and record illicit transaction volume. Chainalysis reported a **694% surge** in value received by sanctioned entities and described nation-state integration of crypto into national financial infrastructure, including **Iranian state-linked activity** (with **IRGC/proxy networks** accounting for over half of value received in Q4 2025) and Russia-linked sanctions workarounds such as the **ruble-backed A7A5 stablecoin**, which processed **$93.3B** in under a year. The same reporting noted sanctions against exchanges **Grinex** and **Meer** for facilitating A7A5-related activity, and assessed that **North Korea stole over $2B in crypto in 2025**, with proceeds reportedly supporting the regime’s **WMD program**; it also pointed to sanctions targeting Southeast Asian scam facilitators tied to “**pig butchering**” operations. Separate analysis of Iran’s crypto ecosystem described **Nobitex** as a major on/off-ramp with **>$5B** in observed volume since 2025 and extensive exposure to sanctioned and high-risk counterparties. TRM Labs said post–Feb. 28 US-Israeli strikes activity (including **>$35M** moved to cold storage) appeared consistent with operational liquidity management rather than user capital flight, and it detailed how a **June 2025 breach (~$90M loss)** revealed a multi-tier custody architecture (hot/warm/cold wallets) and controls for high-value or politically connected clients, alongside structures intended to mitigate sanctions constraints; TRM also observed **~$2.7M** consolidated from dormant mining-linked wallets after the breach, suggesting reserve mobilization to restore liquidity. Other items in the set—an Europol-backed takedown of a gambling-fraud money-laundering ring exploiting Ukrainian women and a US guilty plea by an alleged **Phobos ransomware** administrator—concern cyber-enabled crime but do not materially address the same crypto-sanctions focus, while a TRM post about legislative testimony is primarily an event write-up rather than incident-specific intelligence.
1 weeks ago
Surge in Crypto-Linked Illicit Finance and Investment Fraud
Blockchain intelligence reporting indicated **illicit cryptocurrency flows hit a record $158B in 2025**, a sharp increase attributed largely to **sanctions-linked activity** (notably Russia-associated networks and stablecoin usage), broader **state and state-aligned adoption of crypto for financial infrastructure** (including Russia, Iran, and Venezuela), and improved attribution/intelligence sharing that surfaced previously unattributed flows. The same reporting highlighted continued criminal monetization via crypto, including **$2.87B stolen across 150 hacks in 2025** (with the largest share concentrated in a small number of incidents) and roughly **$35B sent to scam schemes**, dominated by investment-style fraud. Belgian authorities separately reported escalating **investment fraud losses in H2 2025**, with more than **€10.5M** lost via fraudulent trading platforms often marketed as crypto-related, and an additional **€9.5M+** tied to “exclusive” investment advice pushed through **WhatsApp groups**. In response, Belgium’s CCB/partners promoted public reporting and expanded disruption via the **Belgian Anti-Phishing Shield (BAPS)**, with the FSMA able to submit suspected fraudulent sites for blocking/redirection to warning pages to reduce victimization.
1 months ago
Criminal Use and Seizure of Cryptocurrency Assets
Illicit actors continue to hold and move significant amounts of cryptocurrency, with on-chain balances linked to criminal activity now exceeding $75 billion. According to blockchain analytics, nearly $15 billion is directly held by entities identified as illicit, with stolen funds representing the largest share of these holdings. Downstream wallets, which have received more than 10% of their inflows from illicit sources, collectively hold over $60 billion, indicating that the reach of criminal proceeds extends far beyond the original perpetrators. Darknet market administrators and vendors alone control over $40 billion in on-chain value, highlighting the scale of underground digital economies. Bitcoin remains the dominant cryptocurrency among illicit balances, accounting for 75% of the total, though stablecoins and ether have seen substantial growth in criminal usage. The concentration of these funds is typically high, with a small number of wallets holding the majority of assets. Illicit actors are adapting their laundering techniques, increasingly using more cashout addresses for shorter periods to evade detection. Direct transfers from illicit entities to exchanges have dropped significantly, from about 40% of quarterly value in 2021–2022 to just 15% in Q2 2025, reflecting changes in both enforcement and criminal tactics. Law enforcement agencies, particularly in the United States, are responding by establishing strategic reserves and stockpiles of seized digital assets, and have already confiscated over $12.6 billion in illicit funds with the help of blockchain analytics firms. The timing of enforcement actions varies, with market-based illicit services tending to operate longer before being disrupted. Once illicit entities stop receiving funds, the speed at which they empty their wallets depends on the type of cryptocurrency held. Meanwhile, specific high-profile incidents continue to occur, such as the $21 million theft from SBI Crypto, a subsidiary of Japan's SBI Group. In this case, hackers stole a variety of cryptocurrencies, including bitcoin, ethereum, litecoin, dogecoin, and bitcoin cash, and laundered the proceeds through Tornado Cash, a mixing service favored by cybercriminals. Investigators noted that the tactics and laundering patterns in the SBI Crypto heist closely resembled those used by North Korean hacking groups, suggesting a possible link to Pyongyang's ongoing campaign to finance illicit activities through digital asset theft. The SBI Crypto incident is part of a broader trend, with North Korean threat actors reportedly stealing a record $2 billion in cryptocurrency so far this year. These developments underscore the persistent threat posed by sophisticated cybercriminals and nation-state actors in the cryptocurrency ecosystem, as well as the evolving strategies of both criminals and law enforcement in the battle over digital assets. The growing landscape of seizable crypto assets presents both a challenge and an opportunity for authorities seeking to disrupt illicit financial flows. As criminals refine their methods, the need for advanced analytics and coordinated international enforcement becomes increasingly critical. The ongoing arms race between cybercriminals and law enforcement is likely to shape the future of digital asset security and regulation.
1 months ago