Crypto Crime in 2025: $158 Billion in Illicit Flows and the Emergence of State-Scale Crypto Rails
Crypto-related crime did not merely rebound in 2025 — it scaled and institutionalized. According to estimates by TRM Labs, illicit entities received approximately $158 billion in incoming crypto value over the year, marking the highest level ever recorded. The surge was driven not by retail darknet activity, but by sanctions-linked infrastructures, state-aligned operations, industrialized fraud, and professional laundering services.
Key Takeaways
- $158B in incoming value to illicit entities in 2025 (TRM), while the overall illicit share declined slightly to ~1.2% of attributed on-chain volume.
- Using TRM’s “liquidity lens,” illicit actors captured roughly 2.7% of incoming VASP liquidity, a more operationally relevant risk indicator than total chain share.
- Sanctions-related activity spiked sharply, overwhelmingly linked to Russia, with extensive usage of the A7A5 ruble-pegged stablecoin (TRM estimates more than $72B in volume).
- Hacks and breaches: TRM documented ~$2.87B stolen across roughly 150 incidents; the Bybit breach alone accounted for about $1.46B.
- Fraud and scams: Approximately $35B flowed into fraud schemes; stablecoins represented 84% of verified fraud inflows.
- Laundering at scale: Over $60B exited illicit wallets into services. Chainalysis highlights the expansion of Chinese-language laundering networks.<
- Independent analyses converge on a record year: Chainalysis estimates illicit addresses received at least $154B in 2025, with sanctions-related value rising 694% year-over-year.
The Core Narrative
For years, the industry leaned on a reassuring statistic: the percentage of illicit crypto activity was falling. TRM’s 2025 findings challenge that narrative. While the relative share dipped marginally from 1.3% to 1.2%, the absolute volume surged to historic highs, driven by massive growth in crypto liquidity and real-world integration.
More importantly, the nature of crypto crime has changed. What once looked like fragmented cybercrime now resembles a parallel financial layer, where sanctioned economies, professional fraud operators, and laundering intermediaries rely on crypto rails as durable infrastructure.
Deep Dive Analysis
1. Sanctions Activity Is No Longer Marginal — It Is Central
TRM identifies sanctions-driven flows as the primary growth driver in 2025. Russia-linked activity dominates, paired with concentrated stablecoin usage such as A7A5. This represents the regulatory nightmare scenario: purpose-built payment rails that reduce dependency on USD pathways and traditional correspondent banking choke points.
2. Theft Is Moving From Code Exploits to Operational Failures
The data shows a decisive shift away from sophisticated smart-contract exploits toward operational compromise — stolen keys, weak access controls, and vulnerable wallet infrastructure. The Bybit incident anchors this trend. The Federal Bureau of Investigation publicly attributed the approximately $1.5B Bybit hack to North Korea, under the campaign name “TraderTraitor.”
3. Fraud Has Become Industrial — With Stablecoins as the Transport Layer
TRM’s ~$35B fraud estimate comes with a critical operational insight: stablecoins account for 84% of confirmed fraud inflows. For compliance teams, this narrows the focus from abstract “crypto risk” to very specific exposure points — stablecoin liquidity, issuance, and on/off-ramps.
4. Laundering Is Professionalized and Increasingly Cross-Chain
Investigations by Reuters and Chainalysis describe rapidly growing Chinese-language laundering networks using escrow-style “guarantee platforms” to match clients with laundering services at scale.
At the same time, Elliptic estimates more than $21.8B in illicit or high-risk crypto was laundered via cross-chain mechanisms — bridges, DEXs, and swap services — undermining single-chain monitoring models.
The Scam-Or Project Perspective: The 2025 “Conversion Stack”
To understand crypto crime in 2025, the key question is no longer which blockchain, but where conversion occurs.
| Stage | Typical Mechanisms |
|---|---|
| Acquisition | Scams, hacks, illicit marketplaces |
| Conversion | Stablecoins, OTC desks, VASPs |
| Concealment | Cross-chain bridges, DEX routing, peeling patterns, mixers |
| Cash-Out | Fiat rails, payment processors, merchant networks, offshore entities |
Practical Implications
For Compliance Teams (VASPs, Stablecoin Issuers, Fintechs, Banks)
- Treat stablecoin flows as Tier-1 risk indicators, especially for fraud and sanctions exposure.
- Adopt liquidity-focused monitoring: measure deployable capital entering your rails, not just chain-wide percentages.
- Invest in cross-chain tracing and alerts for bridge and DEX routing behavior.
- Strengthen operational security — key management, privileged access, withdrawal controls, and vendor oversight — as operational compromise has become the dominant exploit vector.
- Apply continuous, contextual sanctions screening based on clusters, counterparties, and typologies, not one-time onboarding checks.
For Regulators
If 2025 is the new template, enforcement must move upstream — toward stablecoin governance, VASP liquidity gateways, and repeatable laundering platforms that criminals cannot bypass.
Call for Information
Scam-Or Project is actively monitoring stablecoin payment rails, laundering intermediaries, escrow-based “guarantee platforms,” and cross-chain cash-out structures observed in 2025.
If you possess insider information — including compliance alerts, SAR patterns, blocked merchant lists, wallet clusters, bank-transfer beneficiaries, payment processors, or operational security failures — please submit it confidentially via the Scam-Or Project whistleblower section.
