By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: ChainalysisPublished December 17, 2025

TL;DR: Cryptocurrency is reshaping money laundering, fraud, DeFi exploitation, ransomware and cross-chain criminal activity, while investigators increasingly use blockchain transparency and analytics to trace assets and cases, according to Chainalysis. The governance issue is no longer whether crypto is criminally useful, but whether controls, investigation workflows and identity assurance can keep pace.


At a glance

What this is: Chainalysis positions crypto crime as a mature criminal capability, with the report focused on laundering, scams, DeFi exploits, ransomware and cross-chain activity.

Why it matters: For fraud, compliance, SOC and identity teams, this matters because crypto-related crime blends payment abuse, trust exploitation and investigation challenges that often intersect with account compromise and weak identity verification.

👉 Read Chainalysis's 2026 Crypto Crime Report for analysis of laundering, scams and ransomware


Context

Crypto crime is not a single threat pattern. It spans laundering networks, scam infrastructure, DeFi abuse, ransomware monetisation and asset movement across chains, which makes it a governance problem as much as a law-enforcement problem. In practice, the control gap is often not visibility alone, but the ability to connect transaction behaviour, identity evidence and operational response.

For identity and fraud practitioners, the important question is where crypto activity intersects with onboarding, account takeover, mule activity and recovery workflows. That is where NHI Mgmt Group’s research lens becomes relevant, because the same authentication, privilege and lifecycle issues that weaken enterprise identity programmes can also enable criminal tooling and obscured asset movement.

This report frames crypto transparency as an investigative advantage, but transparency does not automatically produce control. Organisations still need decision rules, escalation paths and evidence handling that can turn blockchain data into actionable risk management rather than post-incident commentary.


Key questions

Q: How should organisations reduce crypto scam losses before transfers happen?

A: Organisations should place stronger verification before authorisation, not after loss. That means step-up checks for high-value transfers, destination changes, and first-time counterparties, plus behavioural monitoring for urgency, impersonation, and unusual payment timing. Fraud controls work best when they are linked to account assurance and beneficiary validation.

Q: Why do blockchain analytics and identity evidence need to be connected?

A: Blockchain data shows where value moved, but identity evidence explains who initiated the action, from which environment and under what trust conditions. Connecting the two improves attribution, prioritisation and recovery because it turns a transaction trail into an investigation path instead of a standalone ledger view.

Q: What do security teams get wrong about crypto compliance and fraud?

A: Teams often treat compliance and fraud as separate workstreams, but they usually fail together when identity evidence is weak or fragmented. If verification, monitoring, and escalation are not connected, attackers and bad actors exploit the gap between policy and execution. A single operating view is more effective than siloed controls.

Q: Who should own fraud response when crypto scams cross platform and law-enforcement boundaries?

A: Ownership should sit with a coordinated response model that includes security, investigations, compliance, and legal teams. Internal analysts need clear authority to preserve evidence, escalate suspicious patterns, and coordinate external referrals. The key is documented handoff, because identity abuse in crypto often spans multiple jurisdictions and actors.


Technical breakdown

How crypto laundering networks use transaction layering

Crypto laundering typically relies on splitting value across many wallets, chains and services to break the obvious link between source and destination. Techniques include peel chains, mixers, rapid hops across assets and the use of intermediary accounts that mimic ordinary activity. The point is not to hide every transaction, but to make attribution expensive and slow enough that funds can be cashed out or reused before response catches up. This creates an investigation problem where identity evidence, behavioural context and transaction timing must be analysed together.

Practical implication: build investigation workflows that correlate wallet behaviour with identity and account-access evidence, not just transaction logs.

Why advanced scam architectures defeat simple fraud controls

Modern scam operations are increasingly industrialised, with scripted social engineering, staged trust building and repeatable conversion funnels that look like legitimate customer journeys until the transfer point. In crypto environments, that often means the fraud is not visible at onboarding, but emerges when the victim is induced to authorise transfers, reveal credentials or approve wallet actions. Controls that only inspect static attributes miss the dynamic sequence of trust manipulation that drives these schemes.

Practical implication: monitor behavioural signals and escalation points, especially where identity proofing, account recovery and transfer approval intersect.

How blockchain analytics changes ransomware and asset recovery

Blockchain transparency gives investigators a durable record of address movement, which can support tracing, cluster analysis and seizure actions even when criminals attempt rapid movement across services. But transparency does not solve all operational problems, because attribution still depends on off-chain evidence, exchange cooperation and timely triage. The strongest programmes combine transaction analytics with case management, legal escalation and identity linkage so that evidence becomes operationally usable, not just visible.

Practical implication: align blockchain analytics with legal, fraud and incident-response workflows so recovery actions can start before assets are fully dispersed.


Threat narrative

Attacker objective: The attacker’s objective is to convert stolen or illicit value into usable funds while reducing the chance of detection, freeze action or recovery.

  1. Entry begins with scam architecture, account compromise or service abuse that creates access to wallets, exchanges or laundering infrastructure.
  2. Escalation follows through transaction layering, cross-chain movement, mule accounts or intermediary services that reduce traceability and complicate attribution.
  3. Impact is realised when stolen value is cashed out, reused for further criminal operations, or obscured long enough to frustrate recovery and enforcement.

NHI Mgmt Group analysis

Crypto crime is now an identity problem as much as a payments problem. The report describes criminal use of scams, laundering and cross-chain activity, but the enabling weakness often sits earlier in the chain: weak account assurance, poor recovery controls and insufficient behavioural verification. That is why fraud teams and IAM teams need a shared operating model. When identity assurance fails, crypto becomes just another high-speed monetisation layer.

Blockchain transparency is useful, but it is not governance. Investigators can trace value, yet tracing alone does not stop fraud, ransomware or mule activity. The missing capability is decision-making around who can act, when evidence becomes actionable and which escalation path owns the response. Organisations should treat analytics as an evidence source, not a substitute for control design.

Advanced scam architectures expose the limits of static fraud rules. Criminals increasingly build multi-step trust journeys that resemble legitimate customer behaviour until the final transfer or approval stage. That means organisations need behavioural verification, transaction-context review and better lifecycle controls for high-risk accounts. The practitioner lesson is to govern the path to authorisation, not just the transaction itself.

Cross-chain criminal activity is creating a new form of operational fragmentation. As value moves across services, the response problem becomes distributed across exchanges, fraud teams, legal, SOC and identity operations. Verification trust gap: the failure to connect identity evidence to transaction evidence in time for intervention. Teams that cannot bridge that gap will keep seeing the same criminal patterns in new wrappers.

For NHI and agentic AI programmes, the lesson is indirect but important. Any automated workflow that can initiate transfers, approve events or trigger downstream financial actions needs stronger provenance, permission boundaries and auditability. The same governance logic that applies to privileged service accounts applies here too. Practitioners should assume that automation becomes a criminal target as soon as it can move value.

What this signals

Crypto crime programmes are increasingly converging with identity governance because the same assurance failures that enable account takeover also enable laundering, mule activity and unauthorised transfer approval. The practical consequence is that fraud teams cannot rely on transaction monitoring alone. They need identity-linked case workflows that can explain who acted, how trust was established and where intervention can still happen.

Verification trust gap: organisations are still underestimating how often high-risk financial activity depends on weak identity proofing, recovery and approval boundaries. That gap matters for any programme that handles customer onboarding, payment authorisation or privileged automation. Stronger linkage between identity evidence and payment evidence is now a control design requirement, not just an investigation enhancement.

For teams that run automated financial workflows, the lesson extends into NHI governance. Service accounts, API keys and agent-triggered actions should be treated as potentially monetisable pathways and governed with the same discipline used for privileged human access. Where that applies, foundational guidance in the Ultimate Guide to NHIs , Key Research and Survey Results remains relevant.


For practitioners

  • Strengthen account assurance for high-risk flows Require step-up verification and tighter recovery controls for wallets, exchanges and money movement workflows where account takeover would directly enable theft or laundering.
  • Correlate identity and transaction evidence Link login, device, recovery and transfer events in the same case workflow so investigators can move from alert to attribution without manual stitching.
  • Harden approval paths for value movement Add behavioural checks and secondary review for transfer authorisation, especially where trust has been built over multiple interactions before the final action.
  • Map crypto crime cases to response ownership Define who owns exchange engagement, legal escalation, fraud triage and evidence preservation before an incident occurs, not after funds start moving.

Key takeaways

  • Crypto crime now spans laundering, scams, ransomware and cross-chain movement, so it has to be governed as a multi-domain risk rather than a single fraud problem.
  • Blockchain transparency improves traceability, but investigators still need identity evidence, escalation ownership and coordinated response to turn visibility into recovery.
  • The strongest control improvement is earlier assurance at the point of trust, approval and transfer, where identity failures become monetisable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity proofing and access control are central to fraud-enabled crypto crime.
NIST SP 800-53 Rev 5IA-2Authentication strength matters where account takeover enables wallet or exchange abuse.
GDPRArt.32Where identity and fraud evidence includes personal data, protection and integrity controls apply.
OWASP Non-Human Identity Top 10NHI-03Automation and service credentials can become monetisable pathways in crypto workflows.
NIST AI RMFGOVERNAutomated decisioning and agentic workflows in finance need explicit governance and accountability.

Tie high-risk crypto workflows to verified identities and stronger access controls before transfer approval.


Key terms

  • Crypto Laundering Path: A crypto laundering path is the sequence of transfers, services, and conversions used to hide the origin of illicit funds. It often includes fragmentation, mixing, OTC movement, and exchange cash-out steps that complicate attribution and recovery.
  • Verification Trust Gap: A verification trust gap is the distance between what an organisation believes it has verified and what actually protects the transaction or account. In fraud and crypto contexts, that gap appears when onboarding, recovery or approval controls are too weak to stop misuse.
  • Cross-Chain Crime: Cross-chain crime is criminal activity that uses multiple blockchain networks or bridge services to obscure the movement of value. The technique fragments evidence across systems, which increases investigative complexity and raises the importance of linked analytics and identity context.
  • Transaction Context Review: Transaction context review is the practice of evaluating the surrounding signals for a payment or transfer, including identity, device, history and behavioural factors. It is more effective than static rule checks because it looks at how a transfer fits the broader risk pattern.

What's in the full report

Chainalysis's full report covers the operational detail this post intentionally leaves for the source:

  • Case studies showing how laundering networks adapt across chains, services and intermediaries
  • Data-driven breakdowns of scam, DeFi and ransomware patterns that support practitioner benchmarking
  • Investigator workflows for tracing assets, building cases and coordinating recovery across teams
  • Source analysis on how blockchain analytics changes the pace and quality of financial crime response

👉 The full Chainalysis report adds case studies, trend analysis and investigation detail behind the 2026 crypto crime findings.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security and secrets management in a way that supports practitioners responsible for access and assurance. It helps identity and security teams connect governance decisions to the broader control environment their programmes depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org