Crypto Sanctions Evasion and Illicit Finance via Digital Assets
New reporting highlighted the growing role of cryptocurrency in sanctions evasion and illicit finance, with 2025 seeing a sharp increase in value received by sanctioned entities and record illicit transaction volume. Chainalysis reported a 694% surge in value received by sanctioned entities and described nation-state integration of crypto into national financial infrastructure, including Iranian state-linked activity (with IRGC/proxy networks accounting for over half of value received in Q4 2025) and Russia-linked sanctions workarounds such as the ruble-backed A7A5 stablecoin, which processed $93.3B in under a year. The same reporting noted sanctions against exchanges Grinex and Meer for facilitating A7A5-related activity, and assessed that North Korea stole over $2B in crypto in 2025, with proceeds reportedly supporting the regime’s WMD program; it also pointed to sanctions targeting Southeast Asian scam facilitators tied to “pig butchering” operations.
Separate analysis of Iran’s crypto ecosystem described Nobitex as a major on/off-ramp with >$5B in observed volume since 2025 and extensive exposure to sanctioned and high-risk counterparties. TRM Labs said post–Feb. 28 US-Israeli strikes activity (including >$35M moved to cold storage) appeared consistent with operational liquidity management rather than user capital flight, and it detailed how a June 2025 breach (~$90M loss) revealed a multi-tier custody architecture (hot/warm/cold wallets) and controls for high-value or politically connected clients, alongside structures intended to mitigate sanctions constraints; TRM also observed ~$2.7M consolidated from dormant mining-linked wallets after the breach, suggesting reserve mobilization to restore liquidity. Other items in the set—an Europol-backed takedown of a gambling-fraud money-laundering ring exploiting Ukrainian women and a US guilty plea by an alleged Phobos ransomware administrator—concern cyber-enabled crime but do not materially address the same crypto-sanctions focus, while a TRM post about legislative testimony is primarily an event write-up rather than incident-specific intelligence.
Timeline
Apr 28, 2026
US Treasury freezes $344 million in Iran-linked cryptocurrency
On 2026-04-28, the U.S. Treasury Department froze more than $344 million in cryptocurrency tied to Iran as part of Operation Economic Fury and the broader maximum-pressure campaign. Officials said the move targeted digital-asset channels linked to sanctions evasion, weapons procurement, and other Iranian revenue streams.
Apr 24, 2026
EU imposes first country-level export restrictions on Kyrgyzstan
On 2026-04-24, the European Union adopted sanctions restricting exports of CNC machines and radio equipment to Kyrgyzstan, citing a high risk of re-export to Russia for missile and drone production. The move marked the first direct country-level EU trade restrictions on Kyrgyzstan after consultations with Bishkek failed to halt the flow of sensitive goods.
Apr 23, 2026
UK lawmakers urge sanctions on Kyrgyz officials over A7A5 crypto evasion
On 2026-04-23, a cross-party group of 26 British MPs called on the U.K. government to sanction senior Kyrgyz officials for allegedly enabling the ruble-pegged cryptocurrency A7A5 to operate from Kyrgyzstan and support Russian sanctions evasion. The lawmakers warned that broader sectoral sanctions on Kyrgyzstan could follow if the alleged complicity continues.
Apr 9, 2026
Iran reportedly accepts crypto payments from Strait of Hormuz shipping
By April 2026, reporting indicated Iran was accepting cryptocurrency payments, including bitcoin and reportedly USD-pegged stablecoins, from cargo ships transiting the Strait of Hormuz. Analysts cited this as a new extension of Iran's sanctions-evasion trade network, linking maritime commerce to IRGC-associated crypto and stablecoin use.
Mar 30, 2026
Chainalysis links crypto flows to Russian and Iranian drone procurement
In a report published on March 30, 2026, Chainalysis said cryptocurrency was being used to finance drone procurement by Russian and Iranian-linked actors. It highlighted more than $8.3 million raised by pro-Russia groups since 2022, repeated wallet payments tied to sanctioned drone maker KB Vostok, and Iranian-linked flows from Nobitex, IRGC-associated wallets, and sanctioned facilitator Alireza Derakhshan to drone-part suppliers.
Mar 26, 2026
38 North details DPRK crypto cash-out networks and direct USDT procurement use
In a report published on March 26, 2026, 38 North described how DPRK-linked actors including Lazarus launder stolen cryptocurrency through OTC brokers, exchanges, P2P platforms, and facilitators across multiple countries. The analysis also warned that North Korea is increasingly exploring direct use of cryptocurrency, especially USDT, to pay for sanctioned goods and weapons-related procurement, reducing reliance on traditional cash-out channels.
Mar 5, 2026
Chainalysis documents industrial-scale sanctions evasion via crypto in 2025
In its March 2026 report, Chainalysis said multiple nation-states had integrated blockchain and stablecoins into national financial infrastructure for sanctions evasion, procurement, and cyber operations, highlighting Iran, Russia, and North Korea.
Mar 3, 2026
TRM reports Nobitex mobilized dormant mining-linked wallets after breach
By March 2026, TRM observed Nobitex consolidating about $2.7 million from more than 100 previously dormant mining-linked wallets, with funds traced largely to EMCD and ViaBTC. The activity suggested reserve mobilization to restore liquidity as services resumed after the June 2025 breach.
Feb 28, 2026
US-Israeli strikes are followed by increased Nobitex on-chain flows
After the February 28 US-Israeli strikes, TRM observed increased on-chain activity at Nobitex, including transfers exceeding $35 million to cold storage. TRM assessed these movements as routine internal liquidity management rather than user-driven capital flight.
Dec 31, 2025
Kyrgyzstan emerges as a sanctions-linked crypto corridor
During 2025, Kyrgyzstan's licensed virtual asset service providers processed an estimated $20.5 billion to $32 billion in turnover, far exceeding the country's GDP. Reporting and blockchain analytics cited in the article indicated some Kyrgyz-licensed entities handled transaction patterns consistent with sanctions-evasion pipelines, especially fiat-to-USDT conversion for cross-border payments involving Russia, Central Asia, and China.
Dec 31, 2025
Sanctioned entities' crypto inflows surge to $104 billion
In 2025, sanctioned entities received about $104 billion in cryptocurrency, driving a broader 162% year-over-year rise in illicit-address inflows to at least $154 billion.
Dec 31, 2025
North Korea steals more than $2 billion in cryptocurrency
Across 2025, North Korea reportedly stole over $2 billion in cryptocurrency, with proceeds allegedly supporting the regime's weapons of mass destruction program.
Dec 31, 2025
Iranian entities move over $3 billion through IRGC-linked crypto networks
During 2025, IRGC-linked networks moved more than $3 billion in cryptocurrency to support proxy activity and procurement, reflecting increasing state dominance over Iran's crypto ecosystem.
Oct 1, 2025
IRGC-linked networks account for most Iranian crypto inflows in Q4 2025
By the fourth quarter of 2025, IRGC-linked networks were responsible for more than half of the value received by Iranian entities, underscoring the state's growing control over the sector.
Aug 20, 2025
UK sanctions Kyrgyz bank and crypto entities tied to Russian evasion
On 2025-08-20, the UK sanctioned Kyrgyzstan-based Capital Bank and its director, along with the Grinex and Meer exchanges and entities tied to the rouble-backed A7A5 token, alleging they were used by Russia to circumvent sanctions. The UK said these Kyrgyz financial and crypto networks helped facilitate payments for military goods and cited $9.3 billion moved through A7A5 infrastructure in four months.
Jun 1, 2025
Predatory Sparrow breaches Nobitex and steals about $90 million
In June 2025, the Israel-linked group Predatory Sparrow reportedly breached Nobitex, causing roughly $90 million in losses. The incident also exposed internal code and documentation describing the exchange's custody architecture and transaction-routing logic.
Mar 1, 2025
Tornado Cash removed from OFAC sanctions list
In March 2025, OFAC delisted Tornado Cash following a court ruling concerning autonomous smart contracts, marking a notable sanctions enforcement change in the crypto sector.
Jan 1, 2019
Nobitex becomes a major crypto rail in Iran's sanctions-constrained economy
Since 2019, Nobitex has processed tens of billions of dollars and developed into Iran's primary cryptocurrency on- and off-ramp, making it central to the country's financial ecosystem under sanctions pressure.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
5 more from sources like the diplomat, chainalysis blog, 38 north and trm labs blog
Related Stories
Record Surge in Crypto Crime and Nation-State Sanctions Evasion via Blockchain
Illicit cryptocurrency activity reached unprecedented levels in 2025, with at least $154 billion in crypto flowing to addresses linked to criminal activity, according to Chainalysis. This surge was primarily driven by a dramatic increase in transactions involving sanctioned entities, which saw a 694% year-over-year rise. Nation-states have become increasingly involved, leveraging both established criminal infrastructure and developing their own on-chain systems to evade sanctions at scale. The professionalization of the illicit crypto ecosystem now enables transnational criminal networks and governments to launder funds and procure goods and services more efficiently, raising the stakes for both consumer protection and national security. Concurrently, global fraud has evolved into a strategic tool for both organized crime and hostile states, integrating advanced technical tactics such as bot farms, malware, and cryptocurrencies. Governments and private sector organizations are responding by forming international task forces to address the industrialization of fraud, which now rivals the GDP of major economies. North Korea and other pariah states are specifically cited for weaponizing cyber-enabled fraud networks to circumvent sanctions and generate revenue, further blurring the lines between traditional financial crime and cyberwarfare. The convergence of nation-state actors and criminal syndicates in the crypto space underscores the urgent need for coordinated global action to counter these threats.
1 months ago
Surge in Crypto-Linked Illicit Finance and Investment Fraud
Blockchain intelligence reporting indicated **illicit cryptocurrency flows hit a record $158B in 2025**, a sharp increase attributed largely to **sanctions-linked activity** (notably Russia-associated networks and stablecoin usage), broader **state and state-aligned adoption of crypto for financial infrastructure** (including Russia, Iran, and Venezuela), and improved attribution/intelligence sharing that surfaced previously unattributed flows. The same reporting highlighted continued criminal monetization via crypto, including **$2.87B stolen across 150 hacks in 2025** (with the largest share concentrated in a small number of incidents) and roughly **$35B sent to scam schemes**, dominated by investment-style fraud. Belgian authorities separately reported escalating **investment fraud losses in H2 2025**, with more than **€10.5M** lost via fraudulent trading platforms often marketed as crypto-related, and an additional **€9.5M+** tied to “exclusive” investment advice pushed through **WhatsApp groups**. In response, Belgium’s CCB/partners promoted public reporting and expanded disruption via the **Belgian Anti-Phishing Shield (BAPS)**, with the FSMA able to submit suspected fraudulent sites for blocking/redirection to warning pages to reduce victimization.
1 months ago
Criminal Use and Seizure of Cryptocurrency Assets
Illicit actors continue to hold and move significant amounts of cryptocurrency, with on-chain balances linked to criminal activity now exceeding $75 billion. According to blockchain analytics, nearly $15 billion is directly held by entities identified as illicit, with stolen funds representing the largest share of these holdings. Downstream wallets, which have received more than 10% of their inflows from illicit sources, collectively hold over $60 billion, indicating that the reach of criminal proceeds extends far beyond the original perpetrators. Darknet market administrators and vendors alone control over $40 billion in on-chain value, highlighting the scale of underground digital economies. Bitcoin remains the dominant cryptocurrency among illicit balances, accounting for 75% of the total, though stablecoins and ether have seen substantial growth in criminal usage. The concentration of these funds is typically high, with a small number of wallets holding the majority of assets. Illicit actors are adapting their laundering techniques, increasingly using more cashout addresses for shorter periods to evade detection. Direct transfers from illicit entities to exchanges have dropped significantly, from about 40% of quarterly value in 2021–2022 to just 15% in Q2 2025, reflecting changes in both enforcement and criminal tactics. Law enforcement agencies, particularly in the United States, are responding by establishing strategic reserves and stockpiles of seized digital assets, and have already confiscated over $12.6 billion in illicit funds with the help of blockchain analytics firms. The timing of enforcement actions varies, with market-based illicit services tending to operate longer before being disrupted. Once illicit entities stop receiving funds, the speed at which they empty their wallets depends on the type of cryptocurrency held. Meanwhile, specific high-profile incidents continue to occur, such as the $21 million theft from SBI Crypto, a subsidiary of Japan's SBI Group. In this case, hackers stole a variety of cryptocurrencies, including bitcoin, ethereum, litecoin, dogecoin, and bitcoin cash, and laundered the proceeds through Tornado Cash, a mixing service favored by cybercriminals. Investigators noted that the tactics and laundering patterns in the SBI Crypto heist closely resembled those used by North Korean hacking groups, suggesting a possible link to Pyongyang's ongoing campaign to finance illicit activities through digital asset theft. The SBI Crypto incident is part of a broader trend, with North Korean threat actors reportedly stealing a record $2 billion in cryptocurrency so far this year. These developments underscore the persistent threat posed by sophisticated cybercriminals and nation-state actors in the cryptocurrency ecosystem, as well as the evolving strategies of both criminals and law enforcement in the battle over digital assets. The growing landscape of seizable crypto assets presents both a challenge and an opportunity for authorities seeking to disrupt illicit financial flows. As criminals refine their methods, the need for advanced analytics and coordinated international enforcement becomes increasingly critical. The ongoing arms race between cybercriminals and law enforcement is likely to shape the future of digital asset security and regulation.
1 months ago