By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ChainalysisPublished March 5, 2026

TL;DR: Sanctioned entities received 694% more crypto in 2025 and illicit addresses handled a record $154 billion, driven by state actors embedding digital assets into financial infrastructure and policy goals, while North Korea stole over $2 billion and A7A5 processed more than $93 billion, according to Chainalysis. Crypto sanctions evasion is no longer a niche compliance issue; it is an infrastructure, liquidity, and attribution problem that changes how security and risk teams think about control boundaries.


At a glance

What this is: Chainalysis reports that sanctioned-entity receipts rose 694% in 2025, with illicit crypto flows reaching a record $154 billion as states turned blockchain infrastructure into a sanctions-evasion and financing tool.

Why it matters: For IAM, NHI, and broader security teams, the lesson is that identity, infrastructure access, and transaction controls now matter across financial, cloud, and operational domains because abuse is scaling through systems, not just wallets.

By the numbers:

👉 Read Chainalysis's analysis of state-backed crypto sanctions evasion in 2025


Context

The core governance gap is no longer whether blockchain activity is visible, but whether organisations can distinguish legitimate cross-border use from state-backed sanctions evasion at scale. When sanctioned actors, proxy networks, and infrastructure providers converge, the control problem shifts from isolated transactions to the identities, services, and payment rails that move value across jurisdictions.

For security and risk practitioners, this is relevant because crypto abuse now intersects with access governance, service-provider trust, and non-human identity controls in the same way that cloud and API abuse do. The article shows that sanctions evasion is increasingly operationalised through exchanges, OTC brokers, stablecoins, and intermediary services, which is typical of modern illicit-finance ecosystems rather than a one-off anomaly.


Key questions

Q: What breaks when sanctions monitoring focuses only on wallets?

A: Wallet-only monitoring misses the intermediary layer where sanctioned actors actually keep value moving. Exchanges, OTC brokers, bridges, and swap services can reconstitute access even after specific addresses are flagged. Effective controls have to follow the flow, the operator, and the infrastructure that makes the transaction possible, not just the final address.

Q: Why do stablecoin rails create persistent sanctions risk?

A: Stablecoins combine liquidity, speed, and broad interoperability, which makes them attractive for legitimate settlement and illicit bypass alike. That means sanctions risk persists even when transactions are technically visible on-chain. The real challenge is deciding which flows are routine commerce and which are structured to evade controls or support proxy financing.

Q: What do security teams get wrong about chain hopping?

A: They often treat chain hopping as a forensic inconvenience rather than a governance signal. In practice, it shows that the same operational capability can move across networks while maintaining access to liquidity and counterparties. Teams should therefore correlate infrastructure, entity changes, and transaction patterns instead of relying on static blacklists alone.

Q: Who is accountable when a service provider helps sanctions evasion?

A: Accountability sits with the organisation that approves, monitors, and continues the relationship with the provider, not just with the service itself. When intermediaries route suspicious flows, governance should include onboarding due diligence, continuous reassessment, and documented offboarding. That is especially important where the provider can change labels without changing capability.


Technical breakdown

Stablecoin rails turn sanctions evasion into a repeatable workflow

Stablecoins are useful to sanctioned actors because they combine speed, liquidity, and broad interoperability with public-chain traceability. That combination allows a sanctioned entity to move value across borders while still relying on exchanges, OTC brokers, bridges, and swap services to reach the broader crypto economy. The operational pattern is not simply “hide the money”. It is to preserve settlement utility while distributing risk across many intermediaries, each of which becomes a governance dependency. This creates a control challenge similar to third-party access sprawl in identity programmes: the ecosystem is visible, but the trust boundaries are fragmented.

Practical implication: Practitioners need transaction monitoring and counterparty governance that treat stablecoin pathways as an access problem, not just a payments problem.

State-linked actors are using infrastructure layers, not only wallets

The article shows a shift from targeting individual addresses to targeting hosting providers, exchanges, bridge operators, and swap infrastructure that enable sustained sanctions evasion. That matters because infrastructure providers can absorb, route, and reconstitute illicit flows even when wallets are under scrutiny. In identity terms, this resembles overreliance on intermediary trust without strong lifecycle controls: once a service node is accepted, its downstream activity can persist far beyond the initial approval decision. The architecture is therefore the attack surface.

Practical implication: Security teams should map critical service dependencies and apply stronger onboarding, continuous review, and termination controls to intermediaries that move or store value.

Chain hopping and rebranding complicate attribution

Chain hopping moves value across different networks to blur forensic continuity, while rapid rebranding lets sanctioned services reappear under new names and entities. The A7A5 and Grinex pattern described in the article is a good example of how legal form, technical infrastructure, and operational control can be split across multiple parties. This makes static blacklists insufficient on their own. The deeper issue is governance over identity persistence, where the same operational capability survives even when the label changes.

Practical implication: Compliance teams should correlate wallets, operators, hosting, and naming changes rather than relying on entity names alone.


Threat narrative

Attacker objective: The objective is to sustain sanctions evasion and strategic financing while keeping illicit value mobile, deniable, and operationally useful.

  1. Entry occurs through sanctioned exchanges, OTC brokers, swap services, and infrastructure providers that enable the first conversion or movement of value into the illicit network.
  2. Escalation happens when actors chain-hop, rebrand services, and use bridges or DeFi rails to preserve liquidity while obscuring the transaction path.
  3. Impact is achieved when sanctioned states and proxy networks sustain cross-border settlement, bankroll operations, and finance criminal or strategic activity at scale.

NHI Mgmt Group analysis

Crypto sanctions evasion has become an infrastructure governance problem, not a wallet-level anomaly. The article shows that the decisive risk sits in exchanges, brokers, bridges, and hosting layers that keep value moving even after specific addresses are identified. That shifts the control conversation from detection alone to service-provider lifecycle governance, counterparty review, and flow interdiction. Practitioners should treat infrastructure trust as a security boundary.

Stablecoin liquidity is now a sanctions-evasion dependency. The practical value of stablecoins is what makes them attractive to states and proxy networks: fast settlement, broad reach, and conversion into other assets. That creates a governance paradox because the same properties that support legitimate commerce also reduce friction for illicit trade and proxy financing. Security teams should model stablecoin pathways as recurring exposure, not exceptional abuse.

Chain hopping has turned attribution into a cross-domain identity problem. When the same operational network can change labels, entities, and chains while preserving capability, traditional name-based enforcement loses effectiveness. This is where NHI and service identity thinking matters: the entity label is less important than the persistent operational relationships behind it. Practitioners should anchor controls to infrastructure, operator behaviour, and transaction patterns.

State-backed crypto abuse now mirrors advanced threat programmes in its use of intermediaries. The article’s examples show coordinated use of proxies, infrastructure services, and jurisdictional fragmentation to create resilience. That is familiar territory for defenders in IAM and cloud security, where unmanaged delegated access creates lasting exposure. The implication is clear: if the intermediary layer is not governed, the enforcement layer will always be late.

Sanctions enforcement is moving toward service-layer pressure, and that should change programme priorities. The market signal is that regulators are no longer focused only on endpoints of illicit flow. They are targeting the technical and commercial layers that make those flows operational. Practitioners should re-evaluate third-party onboarding, monitoring, and offboarding as core controls for financial and identity risk.

What this signals

Service-layer sanctions abuse is a governance pattern that identity teams already understand. When a platform can be rebranded, re-hosted, or re-routed without losing operational capability, the control question becomes who is responsible for ongoing trust, not just initial approval. For practitioners, the lesson is to apply lifecycle discipline to intermediaries in the same way IAM and PAM teams manage access boundaries.

The practical implication is that teams should connect sanctions screening, counterparty risk, and infrastructure governance to the same review cadence. That is where an identity lens adds value: not by turning financial compliance into IAM, but by exposing how persistent trust relationships allow abuse to survive policy intent.

Crypto programmes that depend on stablecoin liquidity, cross-border counterparties, or OTC brokers should expect more scrutiny of the service layers that enable those flows. The operational response is to move from point-in-time checks to continuous relationship monitoring, with escalation paths that can terminate access before a service becomes a sanctions-evasion dependency.


For practitioners

  • Map intermediary exposure across payment rails Inventory exchanges, OTC brokers, bridges, and swap services that can move value across jurisdictions. Classify each counterparty by risk, jurisdictional reach, and ability to obscure transaction provenance. Prioritise review of services that support rapid conversion between stablecoins and major settlement assets.
  • Harden onboarding for high-risk service providers Require enhanced due diligence before any platform, broker, or infrastructure provider can handle cross-border value movement. Include beneficial ownership checks, sanctions screening, and a clear operating model for how the service can be revalidated if it changes name, chain, or control structure.
  • Implement continuous offboarding for compromised intermediaries Do not rely on one-time approval decisions for third-party services that remain in the transaction path. Reassess access, permissions, and routing privileges when entities are designated, rebranded, or linked to adjacent illicit networks. Treat offboarding as a live control, not an administrative closeout.
  • Correlate wallet, operator, and infrastructure signals Build detection logic that connects wallet behaviour with hosting, naming, and operator relationships. A single address may look benign while the surrounding service stack is repeatedly associated with sanctions evasion, fraud, or proxy financing. Cross-linking those signals improves attribution and actionability.

Key takeaways

  • The article shows that sanctions evasion has shifted from isolated wallets to the infrastructure that moves, hides, and reconstitutes value.
  • The scale is material, with illicit crypto flows reaching $154 billion in 2025 and sanctioned-entity receipts rising 694%.
  • Practitioners need service-layer governance, continuous monitoring, and offboarding discipline to control the intermediary risk that wallets alone cannot address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access governance maps to intermediary trust and controlled value movement.
NIST SP 800-53 Rev 5AC-2Account management is relevant where service providers and operators change over time.
CIS Controls v8CIS-5 , Account ManagementAccount lifecycle discipline fits recurring service-provider and operator exposure.
NIST AI RMFMANAGEAI RMF Manage is relevant where analytics and automated monitoring shape risk handling.

Use AC-2 to enforce lifecycle review of counterparties, operators, and privileged service access.


Key terms

  • Sanctions evasion: Sanctions evasion is the deliberate movement of value or goods to avoid legal restrictions imposed on designated people, entities, or jurisdictions. In crypto markets, it often relies on speed, cross-border settlement, and intermediary services that make destination tracing harder without strong monitoring.
  • Chain Hopping: A laundering technique that moves assets across multiple blockchains to break forensic continuity. It does not remove visibility, but it makes tracing harder because analysts must correlate activity across different ledgers, services, and operator identities to reconstruct the full path of funds.
  • Stablecoin Liquidity: The ability to convert value quickly into a token that tracks a fiat currency and can be used broadly across crypto markets. For sanctioned or criminal actors, liquidity matters because it turns hidden value into usable settlement capability without relying on traditional banking rails.
  • Intermediary Risk: The exposure created when a third party sits between an organisation and the transaction, system, or service it depends on. In crypto governance, intermediary risk includes counterparty failure, rebranding, jurisdictional change, and the possibility that a seemingly legitimate service is enabling illicit flows.

What's in the full report

Chainalysis's full analysis covers the operational detail this post intentionally leaves for the source:

  • Country-by-country breakdowns of sanctioned crypto activity and proxy network behaviour.
  • Detailed case analysis of A7A5, Grinex, and other infrastructure-linked evasion patterns.
  • Transaction-flow evidence showing how bridges, OTC desks, and swap services support movement across jurisdictions.
  • Regulatory response timelines from OFAC, the EU, OFSI, and allied authorities.

👉 The full Chainalysis report covers the A7A5 network, North Korea, Iran, Venezuela, and enforcement patterns in detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It helps practitioners translate identity controls into enforceable governance across the systems their programmes depend on.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org