By NHI Mgmt Group Editorial TeamPublished 2026-05-12Domain: Identity Beyond IAMSource: Chainalysis

TL;DR: Crypto-based money laundering now extends beyond hiding on-chain proceeds and increasingly touches mixers, bridges, hops, and established laundering networks moving into cryptocurrency, according to Chainalysis. The governance challenge is no longer just tracing assets, but linking blockchain intelligence to AML workflows that can follow crime across on-chain and off-chain activity.


At a glance

What this is: Chainalysis argues that crypto money laundering has expanded from on-chain concealment to a wider crime ecosystem that includes mixers, bridges, hops, and legacy laundering networks.

Why it matters: For identity, AML, and fraud practitioners, this matters because transaction tracing alone is not enough when illicit actors use layered transfer paths and onboarding methods that blur the boundary between blockchain activity and broader financial crime.

👉 Read Chainalysis' report on cryptocurrency money laundering and AML investigation trends


Context

Crypto money laundering is the use of digital assets and transfer techniques to obscure the origin, movement, or destination of illicit funds. The source article frames the problem as broader than on-chain concealment, which means investigators need to treat blockchain activity, account behaviour, and off-chain onboarding as a single risk surface.

For IAM, fraud, and AML teams, the intersection is governance: who can move value, through which identities, under what controls, and with what monitoring. That makes customer identity checks, wallet risk signals, and transaction analytics part of the same control story rather than separate disciplines.

The article sits in a space where cryptographic transfer systems, identity verification, and financial crime controls overlap. That is a familiar pattern in mature crime ecosystems, where attackers and launderers exploit the seams between technical visibility and operational accountability.


Key questions

Q: How should AML teams investigate crypto transactions that use mixers and bridges?

A: Start by treating mixers and bridges as provenance-disrupting services rather than final conclusions. Correlate transaction timing, counterparty clustering, and account identity evidence, then move the case into a broader entity-based investigation. The goal is to reconstruct the laundering path, not to prove risk from a single hop or wallet event.

Q: Why do crypto laundering cases need identity verification as well as chain analytics?

A: Chain analytics shows movement, but identity verification shows who is likely operating the accounts behind that movement. When laundering uses exchanges, mule accounts, or delegated access, the answer depends on both data sets. Without identity evidence, investigators often know where value moved but not who controlled the flow.

Q: What do investigators get wrong about tracing illicit crypto flows?

A: A common mistake is assuming that visibility on-chain automatically equals attribution. In practice, layered transfers, jurisdictional fragmentation, and intermediary accounts can separate transaction evidence from operator identity. Teams need case management, KYC, and behavioural correlation to turn visible movement into actionable findings.

Q: Which controls help when laundering activity crosses from crypto into traditional finance?

A: Use integrated monitoring across KYC, sanctions, transaction screening, and account behaviour, then preserve evidence for SAR or equivalent reporting. Cross-domain laundering often fails at the seams between systems, so the most effective control is coordinated investigation rather than isolated alert handling.


Technical breakdown

Mixers, bridges, and hops in crypto laundering paths

Mixers, bridges, and hops are different methods used to break the visible link between a source transaction and its final destination. Mixers pool funds to obscure provenance, bridges move assets across chains, and hops add intermediate transfers that complicate tracing. The practical issue is not that blockchain is opaque, but that investigators must reconstruct intent and control across multiple steps and services. That requires chain analytics, entity clustering, and behavioural correlation, not just address-level review.

Practical implication: build investigation workflows that follow transfer paths across services rather than reviewing single wallet events in isolation.

Why established laundering networks matter to crypto compliance

When established money laundering networks enter crypto, they bring mature operational patterns such as layering, nominee accounts, and coordinated cash-out points. The result is a hybrid laundering model where on-chain movement is only one step in a broader workflow that may include identity fraud, mule activity, or exchange abuse. For investigators, this changes the evidentiary threshold. Attribution depends on combining blockchain signals with KYC records, account access patterns, and cross-case link analysis.

Practical implication: join blockchain intelligence to identity and account telemetry so suspicious activity can be tied to real operators, not just addresses.

Blockchain intelligence as an AML control layer

Blockchain intelligence is the application of analytics to trace, classify, and prioritise crypto activity for investigation and compliance. In practice, it functions as a control layer that helps teams identify exposure, triage alerts, and support suspicious activity reporting. Its value rises when it is connected to case management, sanctions screening, and identity verification, because the control objective is not just to see movement but to explain risk and account for who is behind it.

Practical implication: treat blockchain intelligence as part of the AML control stack, not as a standalone monitoring tool.


Threat narrative

Attacker objective: The attacker objective is to obscure provenance long enough to cash out illicit funds, evade detection, and reduce the chance of successful attribution or seizure.

  1. Entry occurs when illicit actors move proceeds into crypto via mixers, bridges, or onboarding paths that reduce immediate traceability.
  2. Escalation occurs as they layer transfers through multiple hops and services, making entity attribution and source-of-funds analysis more difficult.
  3. Impact occurs when investigators lose the ability to connect on-chain movement to the underlying crime, delaying enforcement, freezing, and reporting actions.

NHI Mgmt Group analysis

Crypto laundering is now an identity problem as much as a tracing problem. The article shows that laundering paths are no longer limited to purely technical obscuration on-chain. Once illicit networks use exchanges, mule accounts, or intermediary onboarding, the control question shifts to who is allowed to move value and how that identity is verified. For AML and fraud teams, the boundary between wallet risk and identity risk is collapsing.

Mixers and bridges create a provenance gap that traditional casework struggles to close. These tools do not make investigation impossible, but they expand the number of hops, entities, and jurisdictions that must be correlated before confidence is high. That makes the operational bottleneck governance and evidentiary stitching, not raw data availability. Practitioners should assume longer investigative chains and higher false-negative risk.

Established laundering networks entering crypto raise the bar for account-level controls. The article points to a hybrid threat model where legacy laundering tradecraft meets blockchain infrastructure. That means KYC, transaction monitoring, and suspicious activity workflows need to be connected to access governance around high-risk accounts and service identities. Hybrid laundering adaptation: the same actor can now use both identity deception and blockchain layering, so controls must span both domains.

Blockchain intelligence is becoming a compliance-enablement layer, not just a detective tool. The useful output is no longer only attribution after the fact. It is risk ranking, evidence preservation, and faster handoff into AML case management. That changes how teams measure effectiveness. Practitioners should expect success to be judged by decision quality and response speed, not just number of traced transactions.

For identity programmes, this is another example of trust shifting away from a single control plane. In financial crime environments, one system rarely provides enough certainty on its own. Identity verification, transaction analytics, sanctions screening, and account behaviour each cover different parts of the same attack path. Practitioners should treat cross-control correlation as a core design requirement rather than an integration nicety.

What this signals

Crypto laundering is forcing AML and identity programmes to converge around shared evidence, because transaction visibility alone no longer explains operator intent. Teams that already separate fraud, KYC, and access governance will find that separation harder to defend as laundering tradecraft spans accounts, services, and chains.

Provenance stitching: the practical challenge is reconstructing control across multiple hops, not simply flagging suspicious movement. That means the programme needs shared case data, consistent escalation paths, and clear ownership for cross-system attribution. Organisations that can preserve evidentiary continuity will make faster, more defensible decisions.

Where crypto activity touches privileged accounts, service identities, or delegated access, the same governance logic used in identity programmes starts to matter. That is especially true when suspicious movement depends on operational access, because access review and transaction review become adjacent controls rather than separate functions.


For practitioners

  • Correlate blockchain and identity signals Join wallet analytics to KYC, account recovery, device, and session telemetry so investigators can connect transfer patterns to real operators and not just addresses.
  • Prioritise high-risk transfer patterns Create review rules for mixers, bridges, and multi-hop flows so teams can triage transactions that deliberately fragment provenance across services.
  • Link AML cases to access governance Ensure suspicious activity cases can surface the identities and service accounts tied to high-risk movement, including delegate access and privileged workflows.
  • Preserve evidentiary chains early Capture transaction, identity, and case metadata at first detection so investigators can reconstruct layered laundering paths without losing provenance details.

Key takeaways

  • Crypto laundering now uses layered transfer techniques and legacy laundering tradecraft together, which makes attribution harder than simple on-chain tracing suggests.
  • Investigators need blockchain intelligence, identity verification, and case management to connect movement patterns to real operators and support enforcement.
  • The strongest control response is cross-domain governance that joins AML, fraud, and identity evidence into one investigation workflow.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing is relevant where laundering uses exchange onboarding and mule accounts.
NIST CSF 2.0PR.AC-1Access control matters when illicit actors use account access to move value.
GDPRArt.32Identity and transaction data handling requires appropriate security and confidentiality controls.
NIST SP 800-53 Rev 5AC-6Least privilege is relevant to privileged movement workflows and case access.
NIST AI RMFMANAGEIf analytics are used for triage, governance must manage model-driven risk decisions.

Strengthen identity proofing for high-risk onboarding and review exception handling for suspicious account creation.


Key terms

  • Crypto Laundering: Crypto laundering is the use of digital assets and transfer services to hide the origin, ownership, or destination of illicit funds. It often combines technical obscuration on-chain with identity deception off-chain, which means investigators need both transaction analytics and account-level evidence.
  • Mixer: A mixer is a service that pools and redistributes cryptocurrency to make source and destination links harder to trace. Mixers do not erase evidence, but they add enough ambiguity that investigators usually need clustering, timing, and external identity signals to rebuild provenance.
  • Blockchain Intelligence: Blockchain intelligence is the analytical use of ledger data to identify risk, trace flows, and support investigations. In practice it combines address clustering, transaction pattern analysis, and entity attribution so compliance teams can turn raw movement into a defensible case record.
  • Know Your Customer: Know Your Customer, or KYC, is the identity verification process used to confirm who a customer is before account access or financial activity is granted. In crypto compliance, KYC helps link wallet activity to a real-world actor and supports suspicious activity detection and reporting.

What's in the full report

Chainalysis' full report covers the operational detail this post intentionally leaves for the source:

  • Deep breakdown of mixer, bridge, and hop typologies used in crypto-native laundering.
  • Investigation methods for tracing multi-step flows across chains and intermediary services.
  • Policy and compliance analysis for AML teams building blockchain-enabled case workflows.
  • Practical examples of how established laundering networks adapt their tradecraft to crypto.

👉 The full Chainalysis report covers mixer typologies, policy developments, and investigation methods.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It helps security practitioners connect identity governance to the broader control decisions their programmes depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org