Surge in Crypto-Linked Illicit Finance and Investment Fraud
Blockchain intelligence reporting indicated illicit cryptocurrency flows hit a record $158B in 2025, a sharp increase attributed largely to sanctions-linked activity (notably Russia-associated networks and stablecoin usage), broader state and state-aligned adoption of crypto for financial infrastructure (including Russia, Iran, and Venezuela), and improved attribution/intelligence sharing that surfaced previously unattributed flows. The same reporting highlighted continued criminal monetization via crypto, including $2.87B stolen across 150 hacks in 2025 (with the largest share concentrated in a small number of incidents) and roughly $35B sent to scam schemes, dominated by investment-style fraud.
Belgian authorities separately reported escalating investment fraud losses in H2 2025, with more than €10.5M lost via fraudulent trading platforms often marketed as crypto-related, and an additional €9.5M+ tied to “exclusive” investment advice pushed through WhatsApp groups. In response, Belgium’s CCB/partners promoted public reporting and expanded disruption via the Belgian Anti-Phishing Shield (BAPS), with the FSMA able to submit suspected fraudulent sites for blocking/redirection to warning pages to reduce victimization.
Timeline
Jan 29, 2026
Belgian authorities use BAPS to block fraudulent investment sites
The CCB and FSMA said they were using the Belgian Anti-Phishing Shield to block access to fraudulent investment websites and redirect users to a warning page. This was described as part of their response to rising investment fraud.
Dec 31, 2025
TRM finds ransomware ecosystem fragmented in 2025
TRM Labs observed elevated ransomware inflows in 2025, a record number of victims listed on extortion portals, and signs that more victims were refusing to pay. The firm also documented ecosystem fragmentation, with 161 active strains and 93 new variants, alongside a shift in laundering from mixers to bridges and cross-chain routing.
Dec 31, 2025
TRM reports $35 billion sent to crypto fraud schemes in 2025
According to TRM Labs, roughly $35 billion was sent to scam operations in 2025, with investment scams such as romance baiting, Ponzi schemes, and fake task scams dominating. The report said these schemes appeared increasingly professional, potentially aided by AI tools.
Dec 31, 2025
TRM says illicit crypto flows hit record $158 billion in 2025
TRM Labs reported that illegal cryptocurrency flows reached a record $158 billion in 2025, up 145% from 2024 and reversing a three-year decline. The firm attributed the increase mainly to sanctions-linked activity, expanded nation-state use of crypto, and improved attribution of previously unattributed flows.
Dec 31, 2025
TRM records $2.87 billion stolen across 150 crypto hacks in 2025
TRM Labs reported that 150 hacking incidents in 2025 caused $2.87 billion in losses. The total included the Bybit breach as the dominant event of the year.
Dec 31, 2025
Belgian victims lose over €20 million to investment fraud in H2 2025
FSMA figures for the second half of 2025 showed more than €10.5 million lost through fraudulent trading platforms and more than €9.5 million through WhatsApp-based 'exclusive' investment advice schemes. The scams were largely tied to purported cryptocurrency investments and represented nearly half of fraud reports received by the FSMA.
Oct 31, 2025
Fraud reports rose during October campaign month
During October 2025, reports of fraudulent investment platforms increased in Belgium. Authorities interpreted the rise as a sign of improved public awareness and reporting during the campaign period.
Oct 1, 2025
Safeonweb investment-fraud awareness campaign launched in Belgium
The Belgian Cyber Security Centre (CCB) and partners launched the Safeonweb investment-fraud awareness campaign in 2025 to address growing investment fraud. Later figures were presented as validating the need for this campaign.
Feb 1, 2025
Bybit breach causes $1.46 billion in crypto losses
A February 2025 breach of Bybit resulted in about $1.46 billion in losses. TRM Labs attributed the incident to North Korean hackers, making it the largest single hack cited in its 2025 illicit crypto analysis.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Record Surge in Crypto Crime and Nation-State Sanctions Evasion via Blockchain
Illicit cryptocurrency activity reached unprecedented levels in 2025, with at least $154 billion in crypto flowing to addresses linked to criminal activity, according to Chainalysis. This surge was primarily driven by a dramatic increase in transactions involving sanctioned entities, which saw a 694% year-over-year rise. Nation-states have become increasingly involved, leveraging both established criminal infrastructure and developing their own on-chain systems to evade sanctions at scale. The professionalization of the illicit crypto ecosystem now enables transnational criminal networks and governments to launder funds and procure goods and services more efficiently, raising the stakes for both consumer protection and national security. Concurrently, global fraud has evolved into a strategic tool for both organized crime and hostile states, integrating advanced technical tactics such as bot farms, malware, and cryptocurrencies. Governments and private sector organizations are responding by forming international task forces to address the industrialization of fraud, which now rivals the GDP of major economies. North Korea and other pariah states are specifically cited for weaponizing cyber-enabled fraud networks to circumvent sanctions and generate revenue, further blurring the lines between traditional financial crime and cyberwarfare. The convergence of nation-state actors and criminal syndicates in the crypto space underscores the urgent need for coordinated global action to counter these threats.
1 months ago
Crypto Sanctions Evasion and Illicit Finance via Digital Assets
New reporting highlighted the growing role of **cryptocurrency in sanctions evasion and illicit finance**, with 2025 seeing a sharp increase in value received by sanctioned entities and record illicit transaction volume. Chainalysis reported a **694% surge** in value received by sanctioned entities and described nation-state integration of crypto into national financial infrastructure, including **Iranian state-linked activity** (with **IRGC/proxy networks** accounting for over half of value received in Q4 2025) and Russia-linked sanctions workarounds such as the **ruble-backed A7A5 stablecoin**, which processed **$93.3B** in under a year. The same reporting noted sanctions against exchanges **Grinex** and **Meer** for facilitating A7A5-related activity, and assessed that **North Korea stole over $2B in crypto in 2025**, with proceeds reportedly supporting the regime’s **WMD program**; it also pointed to sanctions targeting Southeast Asian scam facilitators tied to “**pig butchering**” operations. Separate analysis of Iran’s crypto ecosystem described **Nobitex** as a major on/off-ramp with **>$5B** in observed volume since 2025 and extensive exposure to sanctioned and high-risk counterparties. TRM Labs said post–Feb. 28 US-Israeli strikes activity (including **>$35M** moved to cold storage) appeared consistent with operational liquidity management rather than user capital flight, and it detailed how a **June 2025 breach (~$90M loss)** revealed a multi-tier custody architecture (hot/warm/cold wallets) and controls for high-value or politically connected clients, alongside structures intended to mitigate sanctions constraints; TRM also observed **~$2.7M** consolidated from dormant mining-linked wallets after the breach, suggesting reserve mobilization to restore liquidity. Other items in the set—an Europol-backed takedown of a gambling-fraud money-laundering ring exploiting Ukrainian women and a US guilty plea by an alleged **Phobos ransomware** administrator—concern cyber-enabled crime but do not materially address the same crypto-sanctions focus, while a TRM post about legislative testimony is primarily an event write-up rather than incident-specific intelligence.
1 weeks ago
Criminal Use and Seizure of Cryptocurrency Assets
Illicit actors continue to hold and move significant amounts of cryptocurrency, with on-chain balances linked to criminal activity now exceeding $75 billion. According to blockchain analytics, nearly $15 billion is directly held by entities identified as illicit, with stolen funds representing the largest share of these holdings. Downstream wallets, which have received more than 10% of their inflows from illicit sources, collectively hold over $60 billion, indicating that the reach of criminal proceeds extends far beyond the original perpetrators. Darknet market administrators and vendors alone control over $40 billion in on-chain value, highlighting the scale of underground digital economies. Bitcoin remains the dominant cryptocurrency among illicit balances, accounting for 75% of the total, though stablecoins and ether have seen substantial growth in criminal usage. The concentration of these funds is typically high, with a small number of wallets holding the majority of assets. Illicit actors are adapting their laundering techniques, increasingly using more cashout addresses for shorter periods to evade detection. Direct transfers from illicit entities to exchanges have dropped significantly, from about 40% of quarterly value in 2021–2022 to just 15% in Q2 2025, reflecting changes in both enforcement and criminal tactics. Law enforcement agencies, particularly in the United States, are responding by establishing strategic reserves and stockpiles of seized digital assets, and have already confiscated over $12.6 billion in illicit funds with the help of blockchain analytics firms. The timing of enforcement actions varies, with market-based illicit services tending to operate longer before being disrupted. Once illicit entities stop receiving funds, the speed at which they empty their wallets depends on the type of cryptocurrency held. Meanwhile, specific high-profile incidents continue to occur, such as the $21 million theft from SBI Crypto, a subsidiary of Japan's SBI Group. In this case, hackers stole a variety of cryptocurrencies, including bitcoin, ethereum, litecoin, dogecoin, and bitcoin cash, and laundered the proceeds through Tornado Cash, a mixing service favored by cybercriminals. Investigators noted that the tactics and laundering patterns in the SBI Crypto heist closely resembled those used by North Korean hacking groups, suggesting a possible link to Pyongyang's ongoing campaign to finance illicit activities through digital asset theft. The SBI Crypto incident is part of a broader trend, with North Korean threat actors reportedly stealing a record $2 billion in cryptocurrency so far this year. These developments underscore the persistent threat posed by sophisticated cybercriminals and nation-state actors in the cryptocurrency ecosystem, as well as the evolving strategies of both criminals and law enforcement in the battle over digital assets. The growing landscape of seizable crypto assets presents both a challenge and an opportunity for authorities seeking to disrupt illicit financial flows. As criminals refine their methods, the need for advanced analytics and coordinated international enforcement becomes increasingly critical. The ongoing arms race between cybercriminals and law enforcement is likely to shape the future of digital asset security and regulation.
1 months ago