Illicit Crypto Flows Hit Record $158 Billion in 2025: Critical Update

Executive Summary

Illicit cryptocurrency flows escalated to a record $158 billion in 2025, marking a critical 145% increase from the previous year's $64 billion and reversing a three-year downward trend. This surge occurred despite a slight decrease in the illicit activity's share of total on-chain volume (from 1.3% to 1.2%). Analysis by TRM Labs attributes this rise to expanded sanctions-linked crypto activity, increased nation-state use of digital assets, and enhanced attribution capabilities.

Key Findings

• Record Illicit Volume: Total illicit cryptocurrency flows reached $158 billion in 2025, a 145% increase from $64 billion in 2024.
• Primary Drivers:
  • Sanctions Evasion: A significant surge in sanctions-linked crypto activity, primarily driven by Russia-associated networks (e.g., A7, A7A5 stablecoin), following new designations and improved attribution.
  • Nation-State Adoption: Increased use of cryptocurrency by nation-states (Russia, Iran, Venezuela) as core financial infrastructure, alongside large-scale settlement activities via China-linked escrow and underground banking networks.
  • Improved Attribution: Enhanced intelligence sharing and tools, such as those from TRM Labs, enabled the identification of previously unattributed illicit flows and accelerated the recognition of sanctions-related activity, major hacks, and blocklisted entities.
• Hacking Incidents:
  • A total of $2.87 billion was lost across 150 hacking incidents in 2025.
  • The top 10 incidents accounted for 81% of the stolen value.
  • The February 2025 Bybit breach, attributed to North Korean hackers, was the most significant, resulting in approximately $1.46 billion in losses.
• Scam Activity:
  • Approximately $35 billion was sent to fraud schemes.
  • Investment scams dominated, accounting for 62% of inflows, including romance baiting, Ponzi schemes, and fake task scams.
  • Observable increase in scam organization, professionalism, quality, and outreach, potentially linked to the use of AI tools.
• Ransomware Landscape:
  • Ransomware-linked cryptocurrency inflows remained elevated but did not reach prior peaks, despite a record year for victims listed on extortion portals.
  • Increased victim resistance to ransom payments.
  • Unprecedented ecosystem fragmentation with 161 active strains and 93 new variants observed in 2025.
  • Ransom laundering evolved: mixer usage fell by 37%, while bridge usage and cross-chain routing increased by 66%.

Impact

This unprecedented surge in illicit cryptocurrency flows directly impacts global financial stability and national security. The expanded use by sanctioned entities and nation-states poses significant geopolitical challenges, undermining international sanctions regimes. The scale of financial losses from hacks and scams erodes trust in the digital asset ecosystem and directly harms individuals and organizations. The evolving sophistication of ransomware and laundering techniques complicates law enforcement efforts and necessitates enhanced intelligence and defensive postures from all stakeholders.

Mitigation

Based on the provided source, specific mitigation strategies for these macro-level illicit cryptocurrency flows are not detailed. However, general cybersecurity best practices and intelligence-driven defense are critical for mitigating the underlying threat vectors:

• Enhanced Due Diligence (EDD): Financial institutions and cryptocurrency exchanges must implement rigorous EDD on all transactions and users to identify and block sanctioned entities or high-risk actors.
• Sanctions Compliance: Strict adherence to national and international sanctions lists, leveraging blockchain analytics tools to identify and freeze funds associated with designated entities.
• Robust Security Posture: For individuals and organizations, implement strong cryptographic security measures, multi-factor authentication (MFA), and regular security audits for all cryptocurrency wallets and platforms to prevent hacking incidents.
• User Education: Proactive campaigns to educate users on prevalent scam tactics (e.g., investment scams, romance baiting, phishing) and the risks associated with unverified platforms or offers.
• Network Segmentation & Backup: For ransomware defense, implement network segmentation, maintain immutable backups, and develop robust incident response plans. Avoid paying ransoms to disrupt the threat actor's business model.
• Advanced Threat Intelligence: Utilize blockchain intelligence platforms (like TRM Labs) for real-time monitoring, attribution, and identification of emerging threat actor tactics, techniques, and procedures (TTPs), particularly concerning AI-driven scams and evolving laundering methods.
• Interagency Collaboration: Foster greater collaboration between law enforcement, intelligence agencies, and private sector blockchain analytics firms to accelerate intelligence sharing and enforcement actions against illicit actors and networks.