TL;DR: Chinese-language money laundering networks now dominate known crypto laundering activity, processing an estimated 20% of illicit crypto funds over five years and $16.1 billion in 2025 across more than 1,799 wallets, according to Chainalysis. The scale, fragmentation, and rapid service migration show why disruption must focus on operators and channels, not just venues.
At a glance
What this is: Chinese-language money laundering networks have become the dominant organised laundering layer in crypto, with Chainalysis identifying six service types and multi-billion-dollar processing scale.
Why it matters: IAM, fraud, AML, and NHI teams should care because laundering ecosystems increasingly depend on rented identities, account access, and platform trust that can be abused, hidden, or rapidly reconstituted.
By the numbers:
- Chinese-language money laundering networks processed $16.1 billion in 2025 across 1,799+ active wallets.
- The share of known illicit laundering activity attributed to Chinese-language money laundering networks reached approximately 20% in 2025.
- Growth of inflows to identified Chinese-language money laundering networks since 2020 was 7,325 times faster than growth to centralized exchanges.
- 27 days.
👉 Read Chainalysis' analysis of Chinese-language money laundering networks and illicit crypto flows
Context
Chinese-language money laundering networks are not a loose collection of opportunistic accounts. They are structured laundering services that fragment, layer, exchange, and repackage illicit funds across on-chain and off-chain channels. The primary security problem is not just transaction volume, but the industrialisation of laundering operations that can move faster than conventional financial controls.
For identity and access teams, the relevance is direct. These networks depend on financial identities, rented accounts, exchange access, and platform reputation systems that allow illicit actors to borrow trust at scale. That makes the topic relevant to fraud prevention, AML, KYC governance, and the wider problem of how identity can be operationalised as a laundering primitive.
The same pattern appears in NHI environments when stolen credentials, API keys, or platform accounts become the mechanism for abuse rather than the payload itself. The organisational starting point is typical of mature criminal ecosystems: modular, distributed, and resilient rather than dependent on one single platform.
Key questions
Q: What breaks when laundering networks can rent financial identities at scale?
A: When laundering networks can rent financial identities at scale, KYC and account ownership assumptions stop being reliable. The system no longer connects a transaction to a stable, accountable person, so fraud, AML, and platform controls lose attribution. Teams need identity proofing, behavioural correlation, and account lifecycle controls that can detect when an identity is being borrowed for criminal movement.
Q: Why do laundering ecosystems keep growing even after enforcement actions?
A: They grow because enforcement often hits the venue, not the operator network. If advertisers, brokers, and wallet clusters can move to another platform quickly, the service model survives. The right response is to map the ecosystem across channels and target the actors, aliases, and payment relationships that make the network portable.
Q: How do security teams spot fragmentation used to evade transaction monitoring?
A: Look for repeated small transfers that later converge into larger outbound movements, especially when the same identities, addresses, or communication channels recur. Fragmentation is designed to defeat threshold-based review, so teams need graph analysis, temporal clustering, and typology-aware rules rather than only static value limits.
Q: Who is accountable when laundering services move across platforms and jurisdictions?
A: Accountability should sit with the institutions that onboard, enable, or process the activity, not only the marketplace where it is advertised. That includes exchanges, payment providers, and platform operators with KYC, monitoring, and offboarding obligations. Cross-border coordination is essential because displacement across jurisdictions is part of the operating model.
Technical breakdown
How laundering service layering works across crypto channels
The report describes a multi-stage laundering ecosystem rather than a single transfer path. Running point brokers recruit people to rent bank accounts or wallets, money mules layer transactions, OTC services convert suspicious funds without meaningful KYC, and Black U services monetise tainted assets at a discount. Each service type performs a different function in obscuring provenance and breaking traceability. The result is a network that can move value from scams, theft, and underground markets into more accepted financial rails while making attribution harder at every hop.
Practical implication: Practitioners should treat laundering as a workflow problem and identify which control fails at each handoff, not just whether a transaction is suspicious.
Why guarantee platforms matter without being the launders themselves
Guarantee platforms function as marketing and escrow infrastructure for laundering vendors. They do not necessarily control the underlying illicit activity, but they concentrate trust, reputation signals, and vendor discovery in one place. That matters because attackers and facilitators can lose one venue and retain their operational network by shifting to another channel. In security terms, this is a platform dependency problem: the ecosystem survives venue disruption because the service, the identity, and the audience are distributed across multiple platforms.
Practical implication: Teams should monitor the network of actors and aliases behind a service, not just the marketplace surface where they advertise.
How fragmentation and speed defeat conventional monitoring
Fragmentation is not an accidental by-product here. Black U services split large transfers into smaller amounts, while OTC services consolidate small flows into larger ones for integration, both of which are designed to defeat threshold-based monitoring. The article also shows rapid scale-up, with some service types reaching $1 billion in days rather than years. That combination of modularity and speed means static rules and venue-only takedowns will always lag behind the operational tempo of the network.
Practical implication: Detection programs need behavioural clustering, cross-platform correlation, and faster escalation paths than single-channel monitoring can provide.
Threat narrative
Attacker objective: The attacker objective is to convert criminal proceeds into spendable value while preserving operational anonymity and continuity across platforms.
- Entry occurs when running point brokers recruit individuals to rent financial identities, bank accounts, digital wallets, or exchange deposit addresses for illicit transfers.
- Escalation follows as mule networks, OTC desks, and Black U services layer, consolidate, or fragment funds to obscure provenance and move value across jurisdictions.
- Impact is achieved when illicit proceeds are integrated into apparently legitimate crypto and fiat flows, preserving operator resilience even after enforcement action against a single venue.
NHI Mgmt Group analysis
Chinese-language laundering has become a trust-management problem, not just a transaction-monitoring problem. The report shows that vendors, marketplaces, and reputation signals now act as a parallel trust layer for illicit finance. That is structurally similar to how credential marketplaces and shadow access brokers operate in cybercrime. Practitioners should therefore look at the identity and reputation mechanics that make laundering services scalable, not only the movement of funds.
Platform disruption alone does not break a laundering ecosystem. Chainalysis shows vendors simply migrate when a venue is removed, which means the durable unit of analysis is the operator network. This is the same failure mode seen in other distributed threat ecosystems where accounts, handles, and channels are replaceable but the underlying service model persists. The practitioner conclusion is to target the actor graph, not just the front-end marketplace.
Cross-border laundering now behaves like an industrial service supply chain. The ecosystem combines recruitment, account rental, exchange access, brokerage, layering, and cash-out into repeatable service types. That modularity lowers friction for organised crime and raises the burden on financial institutions, exchanges, and investigators. The governance lesson is clear: controls must be designed to trace service relationships across the chain, not merely flag isolated transactions.
Rented identity is the enabling primitive behind much of the activity. Running point brokers depend on people renting bank accounts, wallets, and exchange identities, which makes identity governance central to AML outcomes. That intersection between fraud, access, and laundering is often missed when teams treat the problem as purely financial crime. Practitioners should align KYC, account lifecycle controls, and behavioural monitoring around the identity layer that makes laundering feasible.
Fragmentation creates a detection gap that threshold rules cannot close. Black U services split value into smaller pieces while OTC services consolidate flows for integration, so static alerts miss the structural pattern. That is a named concept worth tracking: laundering fragmentation pressure, the tendency for illicit networks to split and recombine value specifically to outrun fixed monitoring thresholds. The practitioner conclusion is to prioritise graph-based detection and typology-aware rules.
What this signals
The signal for practitioners is that laundering detection is moving toward graph-based, service-aware analysis rather than case-by-case transaction review. Organisations that still rely on fixed thresholds will miss the modular movement patterns that these networks use to split, route, and recombine value across channels.
Laundering fragmentation pressure: the network splits value into small transfers and recombines it later to evade static controls. That pattern is familiar to identity teams because borrowed accounts, shared credentials, and repeated platform personas create the same kind of control evasion. The relevant control question is whether your monitoring can follow the service relationship, not just the money flow.
For IAM and fraud teams, the broader lesson is that account ownership signals are only as strong as the lifecycle controls behind them. If identities can be rented, repurposed, or re-used without strong offboarding and monitoring, the criminal market will keep finding ways to turn trust into a transfer mechanism.
For practitioners
- Map the operator graph, not just the venue Build cases around linked handles, wallet clusters, Telegram identities, and reuse patterns across guarantee platforms, OTC desks, and mule services. The goal is to identify the service operator even when the marketplace changes.
- Tune alerts for split-and-consolidate behaviour Add detection logic for rapid micro-fragmentation followed by consolidation into larger outbound transfers. This pattern is central to Black U and OTC laundering and is more useful than single-threshold review.
- Treat rented identity as a financial crime signal Escalate account rental, credential leasing, and wallet sharing as indicators of laundering facilitation. Cross-reference onboarding anomalies, account takeover indicators, and beneficiary changes with AML reviews.
- Coordinate platform takedowns with downstream monitoring When a marketplace or guarantee platform is disrupted, watch for migration to alternative channels, mirrored ads, and re-used vendor language. A venue action without migration monitoring only displaces the problem.
Key takeaways
- Chinese-language money laundering networks have become an industrialised service layer for illicit crypto, not just a collection of isolated actors.
- Chainalysis attributes $16.1 billion in 2025 inflows to these networks, showing scale, speed, and resilience that outpace venue-only disruption.
- Practitioners should focus on operator graphs, identity rental signals, and fragmentation patterns, because those are the controls that change outcomes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0010 , Exfiltration | The ecosystem relies on identity abuse, movement across channels, and concealment of value flows. |
| NIST CSF 2.0 | PR.AC-4 | Identity and access control are central where rented accounts enable laundering. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management matters when financial identities are rented or repurposed. |
| GDPR | Art.32 | Where identity evidence and personal data support KYC and fraud monitoring, security of processing is relevant. |
Protect identity and onboarding data used for KYC with strong access control, monitoring, and retention discipline.
Key terms
- Money Laundering Service Layer: A money laundering service layer is the organised set of brokers, marketplaces, wallets, and conversion services that move illicit value between source and destination. It matters because the criminal capability is distributed across roles, making it harder to disrupt by focusing on a single platform or transaction type.
- Running Point Broker: A running point broker is an intermediary that recruits people to rent out bank accounts, wallets, or exchange identities for moving illicit funds. The role is important because it turns identity access into a transferable service, creating the first stage of laundering and the first major attribution gap.
- Guarantee Platform: A guarantee platform is an illicit marketplace and escrow venue where laundering vendors advertise, build reputations, and connect with buyers. It does not necessarily execute laundering itself, but it concentrates trust and discovery, which makes it a high-value coordination point in the ecosystem.
- Laundering Fragmentation Pressure: Laundering fragmentation pressure is the tendency for illicit operators to split transfers into smaller pieces and recombine them later to avoid detection thresholds. It is a behavioural signature that defeats simple value-based rules and requires graph analysis, timing correlation, and service-aware monitoring.
What's in the full report
Chainalysis' full report covers the operational detail this post intentionally leaves for the source:
- Service-by-service breakdowns of running point brokers, money mules, OTC desks, Black U services, gambling services, and money movement services.
- On-chain behavioural fingerprints and typologies that help investigators distinguish one laundering service from another.
- Examples of how guarantee platforms, Telegram channels, and vendor reputations support the ecosystem without directly executing every transfer.
- The enforcement and disruption patterns that explain why networks migrate rather than disappear when one venue is targeted.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need a practical foundation for controlling non-human access across modern environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org