TL;DR: Crypto-enabled fraud, ransomware, sanctions evasion, and victim reporting now sit inside a broader law-enforcement model that depends on training, multi-agency cooperation, and data analysis, including a 48% year-over-year rise in pig butchering losses to about $5.8 billion, according to Chainalysis. The security lesson is that crime disruption increasingly depends on intelligence, reporting, and process automation rather than isolated case work.
At a glance
What this is: This is a podcast preview on how the FBI is adapting to crypto-enabled crime, with AI, multi-agency cooperation, and victim reporting emerging as core operational themes.
Why it matters: It matters to identity and security practitioners because fraud, sanctions evasion, and crypto tracing all depend on trust, attribution, and the ability to connect accounts, wallets, and victims across systems.
By the numbers:
- Victim reporting to the Internet Crime Complaint Center showed a 48% increase year over year in pig butchering losses to about $5.8 billion in reported losses.
- Victims often report fraud late, and some studies suggest only 10% to 20% of victims actually report being defrauded.
- The FBI said the total reported losses for frauds and ransomware in IC3 complaints were over $16 billion.
- 10 by using technology more effectively.
👉 Read Chainalysis’ preview of Public Key episode 171 on crypto crime and law enforcement
Context
Crypto-enabled crime has moved from a narrow money-laundering concern into a broader operational challenge spanning fraud, ransomware, sanctions, and illicit finance. The article’s central point is that law enforcement now needs faster attribution, stronger victim reporting, and better data handling to keep pace with criminal use of digital assets.
For security and identity teams, the relevant lesson is that fraud ecosystems behave like access ecosystems: they rely on trust relationships, account control, and repeated reuse of infrastructure. When victims, wallets, and service accounts can be linked across events, investigators gain leverage, but when that linkage is missing, abuse persists far longer than most control frameworks assume.
Key questions
Q: How should teams handle crypto-enabled fraud when victim reports are incomplete?
A: Treat reporting gaps as a detection problem, not just a communications issue. Teams should combine transaction monitoring, complaint intake, and external intelligence to identify clusters of related activity even when only a minority of victims come forward. The goal is to reconstruct the fraud network early enough to preserve evidence and limit further loss.
Q: Why does AI matter in financial crime investigations?
A: AI matters because the data volume is too large for manual review to catch every relevant pattern. Used well, AI can prioritise suspicious activity reports, surface related entities, and route cases to specialists faster. The control point is triage, not final judgement. Humans still decide escalation and enforcement.
Q: What do organisations get wrong about crypto tracing?
A: They often treat tracing as a narrow payments exercise when it is really a correlation problem across identities, wallets, services, and victim activity. Without linking those entities, investigators see transactions but miss the broader fraud ecosystem. Effective tracing depends on relationship mapping, not just blockchain visibility.
Q: Who is accountable when crypto-related fraud or laundering is detected?
A: Accountability usually spans security, fraud, compliance, legal, and platform operations because each owns a different part of the control chain. A usable response model defines who can preserve evidence, who can escalate to exchange partners, and who can approve external referrals.
Technical breakdown
How crypto tracing changes investigation workflows
Cryptocurrency tracing turns value movement into an evidence trail, but only when investigators can correlate wallet addresses, exchanges, and off-chain identifiers quickly enough to act. That requires analyst workflows that combine blockchain analytics, case management, and external reporting sources. In practice, the challenge is not visibility alone. It is deciding which transactions matter, which entities control them, and when to escalate from monitoring to action. This is why crypto tracing increasingly resembles identity correlation work across distributed systems.
Practical implication: build investigative workflows that connect blockchain telemetry to victim reports, account intelligence, and escalation criteria.
Why AI and machine learning matter in financial crime review
AI and machine learning help compress large, noisy datasets such as Bank Secrecy Act and Suspicious Activity Report records into usable leads. The FBI example shows the point clearly: humans cannot manually inspect every record at scale, and they should not have to. The technical shift is from exhaustive review to prioritised detection, where models filter for likely fraud, terrorism, or laundering patterns and route them to specialists. That changes case intake, not final judgement.
Practical implication: use AI to triage and prioritise, but keep human adjudication for enforcement and investigative decisions.
What multi-agency cooperation looks like in crypto enforcement
The article describes a coordination model that includes the FBI, Treasury, OFAC, field offices, and private-sector analytics support. Technically, this is about assembling a shared operating picture across different legal authorities, data sources, and remediation levers. Sanctions, freezing, reporting, and investigation each solve a different part of the problem. The important mechanism is not any single tool. It is the ability to move from detection to disruption across organisational boundaries without losing evidentiary integrity.
Practical implication: define cross-agency and cross-function handoffs before a case begins, not after losses compound.
Threat narrative
Attacker objective: The attacker objective is to monetise fraud or ransomware at scale while obscuring the movement of funds and reducing the chance of recovery or attribution.
- Entry begins with social engineering, investment fraud, ransomware delivery, or illicit service use that moves victims and proceeds into crypto-enabled channels.
- Escalation occurs when criminals convert trust in wallets, exchanges, mirrored sites, or laundering infrastructure into repeated payments and broader control of the fraud economy.
- Impact is realised through theft, laundering, sanctions evasion, and delayed recovery, with victim loss amplification when reporting and correlation are weak.
NHI Mgmt Group analysis
Crypto crime is increasingly an identity problem, not just a payments problem. The episode shows that wallets, exchanges, mirrored web properties, and victim accounts all sit inside a trust network that criminals exploit repeatedly. For IAM and fraud teams, the lesson is that identity resolution and account linkage are now part of financial crime defence, not an adjacent concern. Practitioners should treat account provenance and relationship mapping as core control inputs.
AI-assisted triage is becoming necessary because manual review does not scale. The FBI’s move from hand-reviewing SARs to using data analytics mirrors a broader control reality: oversight that depends on human exhaustion is not durable. In identity governance terms, this is the same pattern seen in large access-review programmes that drown reviewers in noise. Detection-response latency: the longer it takes to turn raw reports into actionable leads, the more value criminals extract. Practitioners should design for prioritisation, not universal manual inspection.
Victim reporting is a control surface, not a downstream afterthought. Barnacle’s comments on IC3 show that underreporting materially weakens enforcement and hides the true scale of harm. For regulated environments, reporting channels, evidence capture, and escalation paths should be treated as part of operational resilience. If victims or internal teams do not know where to report, the organisation has already lost investigative time. Practitioners should make reporting routes visible, simple, and rehearsed.
Sanctions and public-private coordination are becoming part of the response model. The article’s emphasis on OFAC actions and private-sector cooperation shows that disruption now depends on more than arrests alone. That matters for identity and security leaders because many fraud and laundering ecosystems rely on reused infrastructure and delegated trust relationships. When those relationships can be mapped and disrupted, the criminal supply chain becomes more brittle. Practitioners should prepare for multi-party response, not isolated containment.
What this signals
The programme implication is that crypto-enabled fraud should be managed as a trust-graph problem, not a single-channel fraud problem. Teams that can correlate accounts, wallets, and reporting signals will detect abuse earlier, while those that rely on isolated alerts will keep rediscovering the same actors.
Detection-response latency: the practical measure of resilience here is how quickly a suspicious transaction or complaint becomes a triaged case. That aligns closely with controls discussed in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where auditability and incident handling depend on timely evidence capture.
For identity and fraud programmes, the next step is to harden reporting, escalation, and entity resolution before the next wave of scams expands. The same discipline used to govern non-human identity sprawl applies here: map relationships, define ownership, and reduce the time between first signal and coordinated response.
For practitioners
- Correlate victim reports with account intelligence Build workflows that tie complaints, wallet activity, and mirrored domains back to common actors so analysts can spot repeated fraud infrastructure faster.
- Use AI to triage, not decide Apply machine learning to sort high-volume SAR and transaction data into ranked leads, while retaining human review for enforcement and case decisions.
- Treat reporting channels as operational controls Publish simple, rehearsed reporting paths for fraud, extortion, and suspicious financial activity so investigators can preserve evidence before attribution degrades.
- Pre-negotiate disruption handoffs Agree in advance how legal, investigative, sanctions, and private-sector teams will hand off cases when rapid freezing or takedown becomes possible.
- Measure investigative throughput, not just alerts Track how many cases each analyst can move from intake to action, because throughput shows whether automation is reducing noise or merely shifting it.
Key takeaways
- Crypto crime enforcement is shifting from isolated case work to correlated intelligence across wallets, victims, and service providers.
- The FBI’s own example shows why AI-assisted triage and multi-agency cooperation now matter more than manual review at scale.
- Organisations that improve reporting, entity linkage, and response handoffs will reduce fraud dwell time and improve recovery chances.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Fraud monitoring and case triage depend on continuous detection of suspicious financial activity. |
| NIST SP 800-53 Rev 5 | AU-6 | Timely review and analysis of records is central to tracing crypto-enabled crime. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0010 , Exfiltration | Crypto-enabled fraud and ransomware often hinge on access abuse and monetised data or funds movement. |
| NIST AI RMF | MANAGE | The article’s AI discussion focuses on operational use of machine learning in high-volume review workflows. |
Map fraud intelligence workflows to DE.CM-1 and tighten how quickly suspicious signals become cases.
Key terms
- Crypto-enabled Crime: Crime that uses cryptocurrency as part of the offence, the laundering path, or both. The digital asset is usually not the primary crime itself. It is the mechanism that helps offenders move value quickly, obscure provenance, and complicate recovery and attribution.
- Victim Reporting Gap: The difference between the number of harmed people and the number who actually report the harm to authorities or internal teams. In fraud and crypto cases, this gap delays disruption, hides scale, and makes it harder to connect separate incidents into one campaign.
- Investigative Triage: The process of sorting large volumes of alerts, reports, or transactions into a smaller set of cases that deserve human attention. In practice, triage uses rules, analytics, and increasingly machine learning to reduce noise while preserving the ability to make judgement calls.
What's in the full article
Chainalysis' full podcast preview covers the operational detail this post intentionally leaves for the source:
- James Barnacle’s full comments on the FBI’s crypto investigation evolution and why the money laundering function became central to the work.
- The discussion of how the FBI built field-office response teams, training materials, and a Virtual Assets Unit as the threat expanded.
- The episode’s account of victim reporting, IC3 trends, and why underreporting changes the enforcement picture.
- The segment on AI and machine learning use in SAR review, including how investigators are narrowing enormous data sets into usable leads.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity through a practitioner-led curriculum. It is designed for security and identity professionals who need to connect access governance to operational risk.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org