By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ChainalysisPublished January 28, 2026

TL;DR: Chinese money laundering networks processed about $16.1 billion in 2025, accounting for roughly 20% of known illicit crypto laundering, with activity scaling far faster than exchange-based inflows and spreading across six distinct service types, according to Chainalysis. The governance challenge is no longer isolated platforms but resilient laundering infrastructure that adapts when enforcement shifts pressure elsewhere.


At a glance

What this is: Chainalysis says Chinese money laundering networks have become a central layer of illicit crypto laundering, with distinct service types, rapid scaling, and frequent adaptation under enforcement pressure.

Why it matters: For IAM, fraud, and financial crime teams, this matters because laundering infrastructure increasingly depends on identity rentals, account access, and cross-platform trust signals that mirror broader identity abuse patterns.

By the numbers:

  • Chainalysis says the growth in flows into these networks since 2020 has been 7,325 times faster than growth into centralised exchanges.

👉 Read Chainalysis's analysis of Chinese money laundering networks and crypto crime flows


Context

Chinese money laundering networks are underground service ecosystems that move illicit crypto into forms that can be spent, cached, or reintroduced into mainstream finance. The article shows that the networks are not a single market or platform, but a collection of specialised operators with different routing patterns, settlement behaviours, and operational roles.

For identity, fraud, and financial crime teams, the important point is that these systems rely on rented bank accounts, digital wallets, exchange accounts, and other forms of delegated financial identity. That makes the topic relevant beyond blockchain analytics, because the same access, trust, and lifecycle weaknesses appear in account takeover, mule recruitment, and payment abuse.

The article’s starting position is atypical only in scale, not in structure. The same laundering logic has long existed in fraud and organised crime, but the crypto layer makes it faster, more modular, and harder to disrupt through platform-only enforcement.


Key questions

Q: What breaks when mule accounts are treated as ordinary payment users?

A: When mule accounts are treated as ordinary users, teams miss the fact that the account holder may not control the activity at all. That creates a false trust boundary, weakens attribution, and lets illicit transfers look like routine customer movement. Stronger ownership verification and behavioural correlation are needed to separate legitimate users from rented financial identities.

Q: Why do laundering networks rely on many small transfers instead of single large moves?

A: Many small transfers help operators avoid threshold-based detection and make suspicious activity look fragmented rather than coordinated. The same pattern also creates more routing options, which reduces the chance that one blocked account or wallet will stop the flow. Teams need to look for dispersion patterns, not just large-value alerts.

Q: How do security and fraud teams know if account abuse is part of laundering?

A: Look for behavioural clusters, not isolated events. Reused devices, rapid beneficiary changes, unusual wallet chaining, sudden settlement speed changes, and frequent movement across counterparties are stronger signals than any single transfer. If those signals align, the account should be treated as a laundering node until proven otherwise.

Q: Who is accountable when laundering services move across platforms and jurisdictions?

A: Accountability should sit with the institutions that onboard, enable, or process the activity, not only the marketplace where it is advertised. That includes exchanges, payment providers, and platform operators with KYC, monitoring, and offboarding obligations. Cross-border coordination is essential because displacement across jurisdictions is part of the operating model.


Technical breakdown

How laundering services turn identity into routing capacity

The article describes running point brokers and money mule operators that recruit people to lend their financial identities, including bank accounts, digital wallets, and exchange accounts. In practice, the account holder becomes a temporary transfer node, while the real operator controls direction, timing, and destination. This is functionally an identity abuse problem, because the access path is created through trust in the account rather than through technical compromise alone. The same pattern shows up in fraud ecosystems where legitimacy is borrowed from a real user or account.

Practical implication: Treat mule recruitment and account lending as identity abuse, not only as fraud, and build controls around account ownership, anomaly detection, and beneficiary validation.

Structuring and aggregation are the two core laundering mechanics

Chainalysis distinguishes services that split large transfers into many smaller transactions from services that gather many small transfers into larger pools. Structuring, sometimes called smurfing, reduces detection by staying below thresholds. Aggregation reverses that by concentrating funds for the final integration stage. These are not just accounting techniques. They are operational patterns that shape wallet behaviour, transaction size, counterparty count, and settlement speed across the laundering chain.

Practical implication: Monitor transaction dispersion and concentration patterns together, because seeing only one side of the movement obscures the laundering stage you are actually observing.

Automated swap and gambling services compress the laundering window

The fastest services in the report use automation to receive, swap, and forward funds with minimal human intervention. That matters because the shorter the settlement window, the less effective slow manual controls become. If a service can complete high-value movement in minutes, then after-the-fact review is already too late for containment. The technical lesson is that laundering resilience comes from speed, orchestration, and platform redundancy, not just from hiding source addresses.

Practical implication: Prioritise near-real-time interdiction signals and cross-platform intelligence sharing over manual review queues that arrive after funds have moved.


Threat narrative

Attacker objective: The attacker’s objective is to launder illicit crypto at scale while preserving liquidity, obscuring provenance, and reducing the chance of freeze or seizure.

  1. Entry begins when recruiters persuade individuals or intermediaries to provide bank accounts, wallets, or exchange accounts that can be used as transfer nodes for illicit funds.
  2. Escalation occurs when funds are broken into smaller transfers or aggregated across mule networks, allowing operators to route around detection thresholds and platform controls.
  3. Impact is the conversion of stolen, scam, or sanction-sensitive funds into apparently legitimate assets that can be reintroduced into mainstream financial channels.

NHI Mgmt Group analysis

Chinese money laundering networks are a delegated identity problem as much as a financial crime problem. The article’s most important signal is that the laundering layer depends on accounts, wallets, and exchange identities that can be rented, pooled, or operationalised by third parties. That makes the control failure one of identity ownership and lifecycle governance, not just blockchain visibility. For practitioners, the lesson is that account legitimacy must be treated as an active control surface, not a static assumption.

Structured laundering is a behavioural pattern that looks familiar to identity teams. The split between structuring and aggregation mirrors how malicious actors exploit thresholds, trust boundaries, and review delays in other identity systems. In IAM and fraud operations, the same logic appears when accounts are used briefly, repeatedly, and across many counterparties. For practitioners, the practical conclusion is that behaviour-based monitoring must sit alongside entitlement and provenance checks.

Financial identity sprawl: this is the governance gap where large, distributed networks of accounts, wallets, and intermediaries become hard to own, hard to verify, and easy to re-purpose. The article shows that network disruption often displaces activity rather than ends it, which means poor lifecycle control becomes a resilience problem. For practitioners, the conclusion is that inventory, ownership, and offboarding discipline matter as much in financial crime as they do in enterprise IAM.

Enforcement alone does not break a modular laundering ecosystem. The article shows that pressure on one platform often pushes operators to another channel, while the underlying service model survives. That dynamic is relevant to identity governance because it shows how adversaries exploit fragmentation between platforms, jurisdictions, and control owners. For practitioners, the conclusion is to build cross-platform correlation and escalation paths, not siloed controls.

Crypto laundering now intersects directly with broader trust and identity frameworks. When a mule account, OTC desk, or wallet is used to launder funds, the real question becomes who controls the identity behind the access path and how that identity was vetted, monitored, and retired. That is why fraud, KYC, and IAM teams should read this as an identity lifecycle warning. For practitioners, the conclusion is to align fraud operations with lifecycle governance and account verification.

What this signals

The immediate programme signal is that fraud, AML, and IAM teams need a shared view of account legitimacy. When financial identities can be rented, repurposed, or chained through intermediaries, control ownership becomes more important than whether a transaction looks individually plausible.

Financial identity sprawl: the practical risk is not just more accounts, but more temporary and partially trusted accounts that move value outside normal review windows. Teams should align their controls with lifecycle events, especially where account ownership changes faster than monitoring rules do.

For identity programmes, the useful comparison is with workload and service identity governance. The same pattern of distributed ownership, incomplete offboarding, and fragmented visibility appears here, even though the asset being moved is money rather than access. That makes correlation between IAM, fraud, and compliance signals essential.


For practitioners

  • Strengthen account ownership verification Require stronger proof of control for bank accounts, exchange accounts, and wallets that move high-value funds or frequently change counterparties. Tie suspicious behaviour to account re-verification rather than relying only on transaction review.
  • Monitor for structuring and aggregation together Track wallet behaviour that breaks large transfers into many small ones and also the reverse pattern where many small flows are consolidated into a few wallets. Use both signals to detect different laundering stages.
  • Correlate mule behaviour with identity lifecycle events Link payment anomalies to onboarding, offboarding, reactivation, and beneficiary-change events so teams can see when legitimate accounts are being repurposed for laundering.
  • Prioritise near-real-time interdiction Escalate alerts that indicate rapid settlement, especially where funds move through automation-driven swap or gambling services in minutes rather than hours.

Key takeaways

  • Chinese money laundering networks now operate as industrialised identity and settlement infrastructure for illicit crypto flows.
  • The scale matters because the networks combine rapid transaction processing, behavioural fragmentation, and service redundancy to outpace platform-only enforcement.
  • Practitioners should respond by tightening ownership verification, lifecycle controls, and cross-domain detection across IAM, fraud, and compliance teams.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Account ownership and verification are central to mule and wallet abuse.
NIST SP 800-53 Rev 5AC-2Account management is relevant where accounts are repurposed for laundering.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe threat pattern depends on account abuse and movement across trust boundaries.
GDPRArt.32Personal data and identity records are implicated when payment identities are abused.

Protect identity and payment records with controls that reduce unlawful access and misuse under Art.32.


Key terms

  • Chinese Money Laundering Network: A Chinese Money Laundering Network is an informal, distributed ecosystem of brokers, mule operators, OTC desks, and swap services that moves illicit funds through crypto and payment rails. It functions like infrastructure rather than a single organisation, with specialised roles that help obscure provenance and speed settlement.
  • Running Point Broker: A running point broker is an intermediary that recruits people to rent out bank accounts, wallets, or exchange identities for moving illicit funds. The role is important because it turns identity access into a transferable service, creating the first stage of laundering and the first major attribution gap.
  • Money mule: A money mule is an account holder or intermediary used to receive and move fraudulent funds on behalf of a criminal. Mule activity is part of the execution layer of many scams because it helps obscure the final destination and complicates recovery, tracing, and reversal.
  • Structuring: Structuring is a money-laundering technique that breaks a large transaction into smaller ones to avoid reporting thresholds. The fraud works because each transfer can look ordinary on its own, so investigators need aggregated behavioural analysis and identity linkage to see the pattern.

What's in the full report

Chainalysis's full report covers the operational detail this post intentionally leaves for the source:

  • Wallet-by-wallet breakdowns of the six laundering service types and their distinct on-chain patterns.
  • Transaction-flow visuals showing how structuring and aggregation change as funds move through the ecosystem.
  • Service-level timing data that compares how quickly automated and human-run operators settle high-value transfers.
  • The report’s enforcement and disruption analysis, including why pressure on one platform often shifts activity elsewhere.

👉 The full Chainalysis report covers service-type breakdowns, on-chain patterns, and enforcement implications.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management. It helps practitioners connect account ownership, access control, and lifecycle discipline across identity programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org