They often focus on the final wallet instead of the services that enable movement, conversion, and concealment. That misses the criminal platform layer, where laundering services, bulletproof hosting, and proxy networks create persistence. The better model is to treat infrastructure providers as part of the threat surface and to score them by repeat use and jurisdictional resilience.
Why This Matters for Security Teams
On-chain crime rarely depends on a single compromised wallet. It depends on an ecosystem that keeps attackers moving, converting, and hiding. That includes infrastructure such as bulletproof hosting, proxy networks, mixers or laundering services, and replayable social and technical access paths. Security teams that only hunt the final destination address usually miss the services that make the whole operation durable.
This matters because the infrastructure layer often signals repeatability, not just one-off abuse. The same hosting provider, cash-out service, or relay pattern can support multiple incidents across different wallets and campaigns. Treating those providers as part of the threat surface helps teams understand persistence, attribution confidence, and which disruption points are actually worth escalating. The NIST Cybersecurity Framework 2.0 is useful here because it pushes organisations to think in terms of governance, detection, response, and recovery, not just isolated technical indicators.
In practice, many security teams encounter the infrastructure layer only after funds have already been fragmented, bridged, or converted, rather than through intentional monitoring of the services that enabled the movement.
How It Works in Practice
Operationally, on-chain crime infrastructure behaves like a service stack. The attacker may use one provider to seed funds, another to route traffic, and a third to obfuscate ownership before the assets ever touch a regulated exchange. That means investigators need to correlate wallet activity with infrastructure signals such as shared hosting, reused domains, common referral patterns, sanctioned service exposure, and repeat interaction with the same off-ramps.
Good practice is to score infrastructure by resilience and recurrence. A provider that appears once may be noise. A provider that appears across multiple incidents, geographies, or laundering paths becomes a strategic node. Current guidance suggests combining blockchain analytics with infrastructure intelligence, abuse reports, DNS and hosting telemetry, and case management data so analysts can separate opportunistic use from repeat offender dependency. For a broader control lens, the MITRE ATT&CK matrix remains useful for mapping the enablement steps around credential theft, access, exfiltration, and command infrastructure, even when the final crime is financial rather than purely cyber.
- Track repeated infrastructure reuse across distinct wallet clusters.
- Tag services by jurisdiction, takedown resilience, and known abuse history.
- Distinguish conversion points from concealment points and from transport points.
- Correlate on-chain flows with off-chain hosting, DNS, and payment rails.
Where this becomes especially important is in response triage: teams can prioritise disruption against services that support many incidents, rather than over-investing in a single wallet that is likely to be discarded. The CISA Known Exploited Vulnerabilities Catalog is not a blockchain-specific resource, but it is a strong reminder that repeatable abuse often scales through weak, exposed infrastructure. These controls tend to break down when cross-chain laundering, privacy tooling, and shell service layers are distributed across multiple legal jurisdictions because evidence becomes fragmented and takedown leverage drops.
Common Variations and Edge Cases
Tighter infrastructure targeting often increases investigative overhead, requiring organisations to balance speed of disruption against attribution confidence. Not every proxy, host, or bridge is malicious, and not every repeated pattern is proof of criminal control.
That tradeoff is why guidance is still evolving. There is no universal standard for weighting infrastructure reuse across crime types, and the right threshold differs between fraud investigations, sanctions exposure, and broader threat intelligence programs. Best practice is to document whether a service is merely adjacent to crime or operationally enabling it, then apply different response paths accordingly. The Europol cybercrime material is helpful for understanding how infrastructure abuse is organised across borders and service layers.
Identity teams should also notice the overlap with account governance. Reused operator identities, mule accounts, and compromised access to infrastructure providers can create NHI-like persistence, even when the core offence is financial rather than purely technical. In practice, the hardest edge case is a legitimate service that becomes infrastructure for abuse only after compromise, because teams then need to separate provider failure from hostile reuse before taking action.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Crime infrastructure scoring needs governance-led oversight of recurring risk. |
| MITRE ATT&CK | T1105 | Attackers use remote services and infrastructure to move and stage activity. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Repeated service identities can behave like persistent non-human access paths. |
Track infrastructure providers as identities with lifecycle, reuse, and abuse history.