By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ChainalysisPublished January 8, 2026

TL;DR: Illicit cryptocurrency addresses received at least $154 billion in 2025, a 162% year-over-year increase driven largely by a 694% rise in value received by sanctioned entities, according to Chainalysis. The data shows crypto crime is becoming more professionalized, with sanctions evasion, laundering services, and nation-state activity now operating as a linked ecosystem rather than isolated events.


At a glance

What this is: Chainalysis says illicit crypto activity reached a record $154 billion in 2025, driven by sanctions evasion, nation-state use, and professionalised laundering infrastructure.

Why it matters: For IAM and NHI practitioners, the report matters because it shows how sanctioned actors and criminal services now rely on durable access paths, making credential governance and transaction monitoring part of the same risk picture.

By the numbers:

👉 Read Chainalysis' 2026 Crypto Crime Report on crypto crime, sanctions evasion, and nation-state activity


Context

Crypto crime is no longer just a story about opportunistic theft. The report describes a market in which sanctions evasion, laundering, and infrastructure services have become more organised, with nation-states increasingly using the same on-chain mechanics as criminal networks. That shift matters to identity and access governance because durable access, delegated trust, and opaque intermediaries are the same conditions that let non-human identities and payment workflows drift beyond control.

The practical issue is not whether legitimate crypto use dominates overall volume, because it still does. The issue is that the illicit layer now looks operationally mature, with specialised service providers, bespoke infrastructure, and asset choices that make enforcement harder. That is typical of a maturing abuse ecosystem, but the scale of state-linked participation is atypical and raises the governance bar for financial crime, compliance, and security teams.


Key questions

Q: What breaks when illicit crypto activity is monitored only by wallet address?

A: Address-only monitoring misses the service relationships, routing patterns, and infrastructure reuse that let illicit actors keep moving value after one wallet is blocked. Effective monitoring has to follow the operational network, not just the identifier. That is especially true when laundering services and infrastructure providers create durable pathways that outlive individual accounts.

Q: Why do stablecoins matter so much in crypto crime governance?

A: Stablecoins reduce friction because they combine fast transferability, low volatility, and broad utility, which helps illicit actors preserve value while moving across jurisdictions. That does not make the asset itself suspicious, but it does mean investigators need stronger context around counterparties, sequencing, and service reuse to separate legitimate from abusive flow.

Q: What do security teams get wrong about sanctions evasion in crypto?

A: They often treat sanctions evasion as a single enforcement problem instead of a multi-party operating model. The report shows state actors and criminal services increasingly share infrastructure, so controls have to focus on ecosystem relationships, repeated trust paths, and governance over enabling services, not just isolated transactions.

Q: Who is accountable when illicit infrastructure services support sanctioned activity?

A: Accountability usually spans the service provider, the customer-facing platform, and the compliance function that failed to interrupt repeated high-risk access or transaction patterns. Frameworks such as NIST SP 800-53 Rev 5 Security and Privacy Controls and zero trust thinking both point to the need for clearer ownership, review, and boundary enforcement.


Technical breakdown

Sanctions evasion now behaves like an infrastructure problem

The report shows sanctions evasion is no longer limited to a single wallet set or an isolated laundering path. Instead, state-linked actors and criminal networks are using layered infrastructure, including bespoke tokens, laundering services, and technical service providers that help move value while obscuring provenance. This resembles a supply-chain model for financial crime: one actor provides liquidity, another provides concealment, and another provides distribution. The result is a more resilient abuse ecosystem that can survive takedowns and re-route around enforcement pressure.

Practical implication: treat sanctions-risk exposure as an ecosystem problem, not a single-address monitoring problem.

Stablecoins compress friction for illicit movement

Stablecoins dominate illicit transaction volume because they combine transferability, price stability, and broad utility. Those same properties that make them useful in legitimate markets also reduce friction for laundering and cross-border movement. In practice, that means investigators see more consistent value retention and faster movement through wallets, services, and exchanges. For compliance teams, the technical challenge is less about the asset class itself and more about tracing behavioural patterns across counterparties, timing, and service relationships.

Practical implication: build controls around flow analysis and counterparty risk, not just asset labels.

The crypto crime stack now includes non-human service dependencies

A key pattern in the report is the role of full-stack illicit infrastructure providers. These entities supply hosting, domain, laundering, and other services that bad actors consume much like legitimate businesses consume cloud or identity services. That creates an identity problem as much as a crime problem, because durable service relationships, repeated access, and delegated operational trust make attribution and disruption harder. Where identity governance is weak, those service dependencies can persist long after one abusive actor is removed.

Practical implication: apply lifecycle controls and access review discipline to third-party service dependencies that enable financial crime.


Threat narrative

Attacker objective: The objective is to move and legitimise illicit value at scale while reducing the chance of interdiction, attribution, or sanctions enforcement.

  1. Entry occurs when nation-state or criminal actors tap into professionalised on-chain infrastructure and service providers that already support illicit movement and concealment.
  2. Escalation happens as those actors combine laundering services, bespoke tokens, and full-stack technical infrastructure to move higher volumes while reducing enforcement visibility.
  3. Impact is mass-scale sanctions evasion, stolen-funds laundering, and greater operational resilience for both cybercriminal and state-aligned campaigns.

NHI Mgmt Group analysis

Crypto crime has become an identity and access governance problem as much as a financial crime problem. The report shows illicit actors increasingly rely on durable service relationships, delegated operational trust, and repeatable infrastructure. That means the control question is no longer only where money moved, but who had persistent access to the services that enabled movement. For practitioners, that shifts the governance lens toward lifecycle control over intermediaries and non-human service dependencies.

Sanctions evasion now looks like a multi-party trust chain, not a single malicious address. Nation-states, laundering-as-a-service providers, and infrastructure operators now collaborate across loosely coupled roles. This is structurally similar to complex identity ecosystems where risk accumulates across delegation paths rather than one account at a time. The field should treat trust propagation as the core governance issue, because controls built only for isolated actors will miss the operating model that matters.

Stablecoin dominance creates a stronger case for behaviour-based control than asset-based control alone. When 84% of illicit volume concentrates in one asset class, defenders can overestimate the value of simple token-centric rules. The more durable answer is to correlate counterparties, timing, service reuse, and privilege patterns across transactions. Practitioners should design monitoring around behavioural risk signals, not just currency type.

Full-stack illicit infrastructure is a reminder that abuse scales where access persists. The same pattern appears across identity security, where repeated, unmanaged access to systems creates a platform for abuse. Here the named concept is illicit service dependency sprawl: the accumulation of third-party services, wallets, and infrastructure that keep illicit operations alive after individual actors are disrupted. Practitioners should map, review, and govern those dependencies like any other high-risk access pathway.

National security and consumer protection now converge in the same crypto governance controls. The report ties state activity, terrorism financing, fraud, and stolen funds into one ecosystem. That convergence means compliance teams, fraud teams, and security teams cannot work from separate risk models if they touch the same infrastructure. Practitioners should align monitoring, escalation, and accountability across those functions before the next enforcement cycle.

What this signals

The governance signal here is that illicit infrastructure behaves like any other durable access layer. Once a service relationship becomes embedded, disruption gets harder and accountability becomes diffuse, which is why teams need explicit ownership and lifecycle control over high-risk intermediaries.

Illicit service dependency sprawl: the operational buildup of wallets, hosts, laundering services, and intermediaries that keep abuse running after one actor is removed. For practitioners, that means risk management must extend beyond the transaction to the enabling service mesh, including external dependencies that can preserve abuse capacity.

The same logic applies to identity programmes that allow standing access to persist across third-party and machine-mediated workflows. Teams should expect regulators and internal audit to ask not only whether controls exist, but whether they interrupt durable trust paths before abuse scales.


For practitioners

  • Map high-risk on-chain counterparties Create a current inventory of wallets, services, and intermediaries that repeatedly touch sanctioned or illicit exposure. Prioritise entities with durable transactional relationships rather than one-off interactions.
  • Separate asset monitoring from behaviour monitoring Track counterparty reuse, transfer timing, and service chaining alongside asset class so that stablecoin activity is assessed in context, not just by token type.
  • Review third-party service dependencies Treat laundering, hosting, domain, and exchange integrations as governed dependencies with explicit ownership, review cadence, and offboarding criteria.
  • Align compliance and security escalation paths Define shared escalation criteria for sanctions exposure, fraud indicators, and state-linked activity so that alerts do not remain trapped in one function.

Key takeaways

  • Crypto crime in 2025 was defined by scale, professionalisation, and the convergence of state-linked actors with criminal infrastructure.
  • The evidence points to a governance problem as much as a financial crime problem, because durable service dependencies now sustain illicit flows.
  • Practitioners should shift from isolated address monitoring to ecosystem control, lifecycle review, and cross-functional escalation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access governance is central to durable illicit service relationships.
NIST SP 800-53 Rev 5AC-6Least privilege limits persistent access through enabling services.
NIST Zero Trust (SP 800-207)Zero trust helps when trust paths are reused across services and actors.
MITRE ATT&CKTA0042 , Resource Development; TA0010 , ExfiltrationThe report describes infrastructure build-out and illicit value movement.

Track how adversaries build, reuse, and move through infrastructure to inform detection and disruption.


Key terms

  • Sanctions evasion: Sanctions evasion is the deliberate movement of value or goods to avoid legal restrictions imposed on designated people, entities, or jurisdictions. In crypto markets, it often relies on speed, cross-border settlement, and intermediary services that make destination tracing harder without strong monitoring.
  • Laundering-as-a-Service: A criminal service model where specialised actors offer value obfuscation, routing, and exchange support to other offenders. The pattern mirrors legitimate managed services, but its purpose is to preserve illicit proceeds and complicate attribution, seizure, and cross-jurisdiction enforcement.
  • Counterparty Exposure: Counterparty exposure is the degree to which a platform, exchange, or issuer is connected to sanctioned or high-risk entities through direct or indirect transactions. In practice, it is a governance measure of how much operational and regulatory risk a business inherits from the addresses and services it interacts with.
  • Delegated Trust Path: A route into an environment created by an already-approved relationship such as OAuth, service account delegation, or API connectivity. These paths are attractive to attackers because they often inherit trust from the original configuration and can bypass direct user interaction.

What's in the full report

Chainalysis' full 2026 Crypto Crime Report covers the operational detail this post intentionally leaves for the source:

  • Year-by-year breakdowns of illicit volume by category, including sanctions, theft, ransomware, and laundering.
  • The report's method notes for lower-bound estimation and how identified illicit addresses are counted.
  • The full trend analysis behind nation-state activity, including DPRK, Russia's A7A5 token, and Iran-linked activity.
  • Additional context on violent coercion, trafficking, and how off-chain evidence affects classification.

👉 The full Chainalysis report includes the trend breakdowns, methodology notes, and category-level data behind the 2025 findings.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity with a focus on practical control design. It is relevant for practitioners who need to reduce exposure windows and strengthen governance across human and non-human access.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org