By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ChainalysisPublished January 8, 2026

TL;DR: At least 154 billion dollars flowed to illicit crypto addresses in 2025, a 162 percent increase driven largely by a 694 percent jump in sanctions-linked receipts, according to Chainalysis. Stablecoins accounted for 84 percent of illicit volume and North Korean theft reached 2 billion dollars, while the market signal is clear: compliance teams now have to treat on-chain crime as infrastructure, not just transaction monitoring.


At a glance

What this is: Chainalysis reports that illicit crypto activity reached record levels in 2025, with sanctions evasion, state-linked theft, and professionalised laundering networks reshaping the threat landscape.

Why it matters: For IAM, NHI, fraud, and compliance teams, the key lesson is that crypto ecosystems now depend on identity, access, and infrastructure controls that look more like enterprise governance than isolated financial monitoring.

By the numbers:

👉 Read Chainalysis's 2026 Crypto Crime Report on sanctions evasion and illicit on-chain infrastructure


Context

The core governance problem is not simply that more crime is happening on-chain. It is that criminal and state-linked actors now rely on mature infrastructure, specialised laundering services, and repeatable operational patterns that resemble a supply chain rather than a set of isolated transactions. That shift makes identity, access, and sanctions enforcement a control-plane problem, not just a case-management problem.

For security and compliance teams, the relevant question is how these networks sustain trust, movement, and persistence across wallets, services, and jurisdictions. When illicit activity becomes industrialised, organisations need stronger visibility into counterparties, transfer paths, and the credentialed infrastructure that supports payment flows. The overlap with IAM is indirect but real: access governance now sits alongside financial monitoring as a boundary control for digital ecosystems.


Key questions

Q: How should compliance teams handle crypto flows when sanctioned entities reuse the same services as criminals?

A: They should move beyond wallet screening and evaluate the entity, infrastructure, and transfer path together. When sanctioned actors use the same laundering services, hosters, and proxy networks as organised crime, the risk sits in the service layer. Effective controls combine sanctions intelligence, clustering, and exception handling so suspicious value movement is not treated as an isolated transaction.

Q: Why do stablecoins complicate financial crime monitoring?

A: Stablecoins move value quickly, hold price more predictably than volatile assets, and are easy to route across jurisdictions. That combination makes them attractive for legitimate settlement and illicit laundering alike. Monitoring must therefore combine AML logic, sanctions controls, and identity verification rather than treating stablecoin activity as a separate payments issue.

Q: What do security teams get wrong about on-chain crime infrastructure?

A: They often focus on the final wallet instead of the services that enable movement, conversion, and concealment. That misses the criminal platform layer, where laundering services, bulletproof hosting, and proxy networks create persistence. The better model is to treat infrastructure providers as part of the threat surface and to score them by repeat use and jurisdictional resilience.

Q: Who is accountable when a service provider helps sanctions evasion?

A: Accountability sits with the organisation that approves, monitors, and continues the relationship with the provider, not just with the service itself. When intermediaries route suspicious flows, governance should include onboarding due diligence, continuous reassessment, and documented offboarding. That is especially important where the provider can change labels without changing capability.


Technical breakdown

On-chain infrastructure turns illicit finance into a repeatable service model

The article describes an ecosystem where laundering, sanctions evasion, and asset movement are supported by specialised infrastructure providers rather than ad hoc manual transfers. That matters because repeatability changes defender assumptions. Instead of one-off suspicious wallets, teams face service layers, routing habits, and transactional templates that can be reused across campaigns. This is closer to a criminal platform model than a single fraud event, which means detection must shift from isolated alerts to networked behaviour analysis.

Practical implication: model recurring transfer patterns, not just flagged addresses.

Stablecoins, sanctioned entities, and sanctions evasion at scale

Stablecoins have become the preferred medium for illicit volume because they combine speed, liquidity, and broad interoperability. In the article, sanctioned actors and proxy networks also use dedicated token infrastructure to reduce friction and extend reach. From a control perspective, that means transaction monitoring alone is insufficient if it does not incorporate entity risk, address clustering, and cross-chain movement. The governance issue is not the asset type itself, but the way identity and destination risk are obscured inside ostensibly ordinary transfer rails.

Practical implication: bind sanctions screening to entity intelligence and transfer topology.

State-linked abuse now overlaps with criminal supply chains

The article shows that state actors increasingly use the same services, infrastructure, and laundering patterns as organised cybercrime. That overlap matters because it blurs the line between cybercrime compliance and national security response. When the same hosting, registry, and laundering layers support fraud, ransomware, and sanctions evasion, defenders need stronger provenance controls and better trust scoring for infrastructure providers. The lesson for identity and access teams is that trust boundaries must extend beyond users to the services that enable movement.

Practical implication: treat infrastructure providers as trust-bearing entities in risk reviews.


Threat narrative

Attacker objective: The objective is to move illicit value at scale while reducing attribution, preserving access to financial rails, and sustaining criminal or state operations under enforcement pressure.

  1. Entry begins with access to crypto infrastructure that can move, aggregate, or obscure funds through services built for laundering, hosting, or sanctions evasion.
  2. Escalation occurs when actors reuse professionalised on-chain services and proxy entities to increase throughput, resilience, and jurisdictional reach.
  3. Impact follows when stolen or sanctioned funds are dispersed, laundered, or converted through stablecoin-heavy rails that frustrate recovery and attribution.

NHI Mgmt Group analysis

On-chain crime has entered the infrastructure phase. The article shows that illicit crypto activity is no longer best understood as isolated fraud or theft. It now depends on repeatable service layers, specialised intermediaries, and industrialised routing patterns that resemble a criminal supply chain. For practitioners, that means governance must track not only transactions but the infrastructure that makes those transactions durable.

Sanctions evasion is now a control-design problem, not just an enforcement problem. When sanctioned actors can route value through stablecoins, proxies, and purpose-built tokens, the core weakness is not lack of rules but lack of entity-linked visibility. Identity governance in this context means being able to connect counterparties, control provenance, and challenge ambiguous flows before they scale. Practitioners should assume transfer metadata alone will miss the real risk.

Crypto compliance teams should think in terms of trust surfaces, not just suspicious wallets. The article makes clear that infrastructure providers, laundering services, and proxy networks now sit inside the attack path. That expands the governance perimeter to the services that enable custody, transfer, and obfuscation. The practical conclusion is that every trusted intermediary becomes part of the control model.

National-security motivated abuse will continue to borrow from organised cybercrime. The strongest signal in the article is convergence: state actors, ransomware groups, and fraud networks are now using overlapping infrastructure and methods. That convergence complicates both attribution and containment. Practitioners should prepare for mixed-motive ecosystems where the same service layer supports criminal finance, sanctions evasion, and politically motivated operations.

Illicit finance increasingly depends on identity-adjacent trust decisions. Even when the primary subject is crypto crime, the real control question is who or what is allowed to move value through a network of services. That is a governance problem familiar to IAM and NHI teams. The lesson is that identity boundaries now extend into financial infrastructure, where trust, approval, and revocation all matter.

What this signals

Credentialed trust is becoming a financial-control issue as well as an identity issue. For programmes that already manage service accounts, API keys, and delegated access, the lesson from on-chain crime is that identity governance can no longer stop at enterprise boundaries. The same control discipline used for privileged systems access now has to inform how organisations assess counterparties, automated transfer services, and high-risk transaction paths.

Illicit infrastructure thrives when visibility is fragmented. The reporting suggests defenders will need better correlation between identity, sanctions, and transaction telemetry if they want to detect industrialised abuse early. That aligns with the broader direction of enterprise governance: the more an ecosystem depends on hidden intermediaries, the more important provenance, revocation, and trust scoring become.

Criminal platforms behave like durable non-human identity ecosystems. They rely on reusable services, stable access patterns, and persistent infrastructure to keep value moving, which makes the control problem familiar to NHI teams. If an organisation already struggles to govern machine identities inside its own estate, it should expect even less visibility across third-party payment and laundering ecosystems.


For practitioners

  • Map high-risk counterparties and service providers Build an inventory of exchanges, mixers, laundering services, and infrastructure providers that appear repeatedly in suspicious flows. Use that inventory to prioritise review of recurring counterparties and jurisdictions rather than chasing single transactions.
  • Tie sanctions screening to entity clustering Augment address-level screening with clustering logic, beneficial ownership signals, and cross-chain tracing so sanctions exposure is evaluated at the entity level, not only the wallet level.
  • Create escalation paths for infrastructure-linked risk Route cases involving hosting, token issuance, or laundering services into higher-priority review because these providers can amplify both scale and persistence across campaigns.
  • Separate routine fraud monitoring from state-linked threat handling Use a distinct playbook for activities that show laundering infrastructure, proxy entities, or sanctioned-party links, because these cases carry compliance, legal, and national-security implications that ordinary fraud queues may miss.

Key takeaways

  • Crypto crime in 2025 is better understood as industrialised infrastructure than isolated theft.
  • The scale is now material, with illicit receipts, sanctions-linked flows, and state-backed theft all moving sharply upward.
  • Teams need entity-level visibility, infrastructure-aware screening, and clearer ownership for high-risk flows.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Entity-linked trust and access decisions matter when illicit services enable value movement.
NIST SP 800-53 Rev 5AC-6Least privilege is relevant to controlling who can approve or execute risky financial workflows.
MITRE ATT&CKTA0006 , Credential Access; TA0010 , ExfiltrationThe article describes theft, laundering, and concealment patterns that align to credentialed abuse and value removal.
ISO/IEC 27001:2022A.5.15Access control governance is relevant where financial infrastructure depends on trusted intermediaries.

Map counterparties and transfer services to PR.AC-4 and tighten approval for high-risk flows.


Key terms

  • On-Chain Infrastructure: The collection of services, wallets, tokens, and routing patterns that make blockchain activity repeatable and scalable. In illicit contexts, this includes laundering services, proxy entities, and hosting providers that help actors move value, obscure origin, and maintain operational continuity.
  • Sanctions evasion: Sanctions evasion is the deliberate movement of value or goods to avoid legal restrictions imposed on designated people, entities, or jurisdictions. In crypto markets, it often relies on speed, cross-border settlement, and intermediary services that make destination tracing harder without strong monitoring.
  • Laundering-as-a-Service: A criminal service model where specialised actors offer value obfuscation, routing, and exchange support to other offenders. The pattern mirrors legitimate managed services, but its purpose is to preserve illicit proceeds and complicate attribution, seizure, and cross-jurisdiction enforcement.
  • Entity-Level Screening: A monitoring approach that evaluates the person, organisation, or network behind transactions rather than inspecting individual wallet addresses alone. It improves risk detection by combining clustering, ownership signals, and behavioural context to reveal hidden relationships and repeated abuse patterns.

What's in the full report

Chainalysis's full report covers the operational detail this post intentionally leaves for the source:

  • Per-category breakdowns of illicit crypto receipts, including sanctions, theft, and laundering activity.
  • The underlying methodology for identifying illicit addresses and calculating transaction totals.
  • Examples of state-linked token use and infrastructure patterns that support sanctions evasion.
  • The report's longitudinal comparison with prior-year estimates and revisions.

👉 Chainalysis's full report covers the category breakdowns, methodology, and state-linked flow examples.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity for practitioners building stronger access control. It is suitable for security and identity teams that need a common operating model for machine identities and privileged access.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org