By NHI Mgmt Group Editorial TeamPublished 2026-05-12Domain: Identity Beyond IAMSource: Chainalysis

TL;DR: Darknet markets, OTC desks and crypto scams generated billions in illicit proceeds, while also driving regional adoption and shaping the effects of policy and regulation on usage, according to Chainalysis. The compliance signal is clear: crypto governance now depends on tracing behaviour, not just monitoring assets.


At a glance

What this is: This is Chainalysis’ 2020 crypto crime and adoption report, highlighting how darknet markets, OTC desks, scams and regional usage patterns shape enforcement and compliance risk.

Why it matters: It matters to identity, fraud and compliance teams because the same trust, onboarding and transaction patterns that enable legitimate crypto use also create blind spots for abuse detection and regulatory control.

👉 Read Chainalysis' crypto crime and adoption report for the full regional analysis


Context

Cryptocurrency crime is not a single abuse pattern. It spans marketplace laundering, scam monetisation, cross-border transfer behaviour and the operational choices that exchanges, desks and regulators have to govern. For identity, fraud and compliance programmes, the challenge is less about the asset class itself and more about the trust and verification controls wrapped around it.

Chainalysis frames the topic as a global adoption and crime problem, which is the right lens for practitioners. Regional usage, policy pressure and institutional participation change how fraud, AML and identity verification controls need to be designed, and that intersection is where governance failures become operational losses.


Key questions

Q: How should compliance teams govern crypto users after KYC is complete?

A: They should treat KYC as the start of governance, not the end. Identity verification confirms who entered the system, but ongoing transaction monitoring, wallet behaviour analysis and risk-based review determine whether that identity is being used legitimately. The strongest programmes connect customer identity, account activity and funds movement in one case workflow.

Q: Why do crypto platforms need both fraud and AML controls?

A: Because scams and laundering are often the same chain from different angles. Fraud detects how value enters the ecosystem through deception, while AML detects how that value is converted, dispersed or obscured. If the two functions are siloed, teams miss the full lifecycle of abuse and respond too late.

Q: What breaks when crypto monitoring is not tied to identity signals?

A: Teams lose the ability to distinguish legitimate trading from coordinated abuse. A wallet or account may appear normal in isolation while actually serving a laundering path across counterparties, OTC desks and exchanges. Without identity-linked monitoring, investigators see fragments instead of a coherent risk picture.

Q: How do regional adoption trends affect crypto compliance decisions?

A: They change the baseline for normal behaviour, customer sophistication and regulatory pressure. A region with fast retail growth may need different thresholds from one dominated by institutional activity. Compliance teams should tune review logic, escalation criteria and customer verification depth to the market they actually serve.


Technical breakdown

How darknet markets reshape crypto crime detection

Darknet markets create a repeatable laundering path because they compress illicit demand, payment settlement and cross-jurisdiction movement into one ecosystem. That makes attribution and interdiction harder than in conventional financial fraud, where single institutions often hold stronger customer and transaction controls. In crypto, the same address can move through wallets, mixers, OTC services and exchanges before a case is visible. The investigative problem is therefore networked, not linear, and it requires clustering, behavioural analysis and exchange cooperation rather than isolated transaction review.

Practical implication: build detection and escalation workflows around address clustering, not just single suspicious transactions.

OTC desks, scams and the identity layer in crypto laundering

OTC desks sit between identity verification and transaction flow, which makes them attractive when criminals want to convert crypto at scale with less public visibility. Scams and laundering also depend on social engineering, synthetic identities or weak customer due diligence to create an apparently legitimate path for funds. The identity control question is whether onboarding, beneficial ownership checks and transaction monitoring are actually linked. If those controls are siloed, the organisation may verify a customer once but fail to govern what that customer does next across wallets, counterparties and channels.

Practical implication: connect KYC, fraud, and transaction monitoring so identity risk follows the funds lifecycle.

Regional adoption patterns change compliance pressure

Rapid growth in a region does not automatically mean higher criminality, but it does change the control environment. When retail and institutional usage grow together, regulators and exchanges face different risks from velocity, volume, customer sophistication and local policy. That is why the report’s regional lens matters: compliance teams need to understand where usage is changing before they choose controls, thresholds and escalation rules. A one-size-fits-all program will miss both legitimate adoption signals and emerging abuse patterns.

Practical implication: tune AML, fraud, and identity verification thresholds by region rather than applying one global rule set.


Threat narrative

Attacker objective: The attacker objective is to move illicit crypto through trusted exchange and settlement paths while obscuring provenance and reducing the chance of interdiction.

  1. Entry occurs when criminals use scams, darknet marketplace access or weak onboarding controls to introduce illicit value into crypto ecosystems.
  2. Escalation happens as funds move through OTC desks, wallets and exchanges that do not fully connect identity signals to transaction behaviour.
  3. Impact is realised when illicit proceeds are laundered, converted or dispersed at scale, reducing traceability and increasing enforcement complexity.

NHI Mgmt Group analysis

Crypto crime is fundamentally a governance problem, not just an enforcement problem. Chainalysis’ framing shows that illicit use is shaped by onboarding, transaction monitoring and cross-platform visibility as much as by criminal intent. For identity teams, this means the boundary between fraud, AML and IAM is operational, not theoretical. Practitioners should treat crypto controls as a joined-up trust framework, not a set of disconnected checks.

Identity verification without behavioural correlation leaves a blind spot. In crypto ecosystems, a verified customer can still become a laundering vehicle if later activity is not tied back to wallet behaviour, counterparties and velocity patterns. That creates a verification trust gap: the organisation knows who entered the system, but not whether that identity is now being used as intended. Practitioners should align KYC evidence with ongoing risk scoring and transaction review.

Regional adoption creates a moving control baseline. The report’s regional lens matters because policy, retail behaviour and institutional participation change what “normal” looks like. Fixed thresholds can either over-block legitimate users or under-detect suspicious flows. Practitioners should tune governance to the market they operate in, not the one they assumed last year.

Fraud and compliance teams need shared ownership of crypto risk signals. Scam monetisation, OTC usage and laundering patterns are not separate problems when viewed from the attacker’s perspective. They are one chain of conversion and concealment. The organisations that perform best are the ones that can move from identity verification to transaction intelligence without manual handoffs. Practitioners should consolidate escalation paths across fraud, AML and customer risk.

Transaction visibility is the new control plane for crypto governance. The specific concept here is conversion-path risk, meaning the point at which legitimate-seeming transfers become the mechanism for laundering or fraud monetisation. That concept helps teams focus on where controls need to join up, not just where they begin. Practitioners should measure whether their program can trace value from onboarding through exit, not simply approve entry.

What this signals

Crypto programmes increasingly need to behave like identity governance systems as much as financial controls. The practical test is whether a team can connect onboarding, wallet behaviour and suspicious transaction review fast enough to stop abuse before funds are laundered or dispersed.

The most durable control model will be one that treats conversion-path risk as a measurable governance signal. That means tracing how value moves across the ecosystem, then aligning fraud, AML and verification workflows to the same risk picture.

For practitioners, the lesson is straightforward: if identity evidence and transaction evidence live in separate tools, the organisation is already behind the abuse pattern it is trying to detect.


For practitioners

  • Link identity checks to transaction monitoring Connect KYC outputs, wallet behaviour and suspicious activity reviews so a verified customer remains governed after onboarding. Use shared case management to avoid manual handoffs between fraud, AML and compliance teams.
  • Segment controls by region and usage pattern Adjust thresholds, escalation logic and review queues based on local adoption patterns, customer mix and regulatory expectations. A single global rule set will miss the difference between retail growth, institutional flows and laundering tactics.
  • Trace conversion paths end to end Map how funds move from entry through OTC desks, exchanges and wallet hops so investigators can see where legitimacy turns into concealment. This helps teams identify the weak points where provenance is lost.
  • Consolidate fraud and AML case handling Create one escalation model for scams, suspicious transfers and account abuse so the team can see related signals in the same queue. Fragmented handling delays response and hides repeat offender patterns.
  • Measure review effectiveness against laundering dwell time Track how long suspicious activity remains unreviewed before conversion or withdrawal occurs, and use that metric to size investigator coverage. Long dwell times indicate the control model is too slow for the threat.

Key takeaways

  • Crypto crime is a governance problem spanning onboarding, transaction monitoring and cross-platform visibility, not just a law-enforcement issue.
  • Regional adoption, OTC behaviour and scam monetisation change the control environment, which means fixed compliance thresholds quickly become stale.
  • Teams that link identity verification to funds tracing are better positioned to detect laundering before value exits the ecosystem.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing matters where KYC and customer onboarding shape crypto risk.
NIST CSF 2.0PR.AC-1Access governance applies to customer and operator identity controls in crypto platforms.
GDPRArt.32Where crypto onboarding handles personal data, security of processing becomes a governance issue.

Align customer and operator access workflows to PR.AC-1 and review identity assertions continuously.


Key terms

  • Conversion-path risk: The point at which legitimate-looking crypto activity becomes the mechanism for laundering, fraud monetisation or concealment. It is less about a single transaction and more about the chain of movement, settlement and obfuscation that makes illicit value harder to trace.
  • Transaction intelligence: The practice of analysing payment, wallet and counterparty behaviour to detect suspicious patterns over time. In crypto, it connects identity verification to later fund movement so teams can see whether an account is being used as intended or as part of an abuse chain.
  • Identity-linked monitoring: Monitoring that ties customer identity evidence to ongoing behavioural and transaction signals. It goes beyond onboarding checks by using the same identity record to evaluate later account, wallet and transfer activity, which is essential when the abuse path unfolds after initial verification.

What's in the full report

Chainalysis' full report covers the operational detail this post intentionally leaves for the source:

  • Regional breakdowns of crypto adoption and usage patterns that help teams tune compliance controls.
  • Discussion of how policy and regulation shape crypto usage across different markets.
  • More detail on the retail versus institutional usage split and what that means for oversight.
  • The report's own research framing around darknet markets, OTC desks and scam monetisation.

👉 The full Chainalysis report covers regional trends, laundering dynamics and regulatory implications in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security and secrets management. It gives security practitioners a practical identity lens they can apply across fraud, AML and broader access control programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org