By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ChainalysisPublished March 5, 2026

TL;DR: Sanctioned entities received 694% more value in 2025, pushing illicit transaction volume to a record $154 billion as states embedded crypto into trade settlement, procurement, and proxy financing, according to Chainalysis. The governance lesson is clear: enforcement now has to track service layers, not just wallets, because scale and speed have become operational features of state-backed abuse.


At a glance

What this is: Chainalysis says sanctioned entities drove a 694% surge in crypto value received, helping push illicit volume to $154 billion in 2025.

Why it matters: For identity, access, and fraud teams, the finding shows how sanctioned activity increasingly depends on managed service layers, exchange access, and cross-border operational identities rather than isolated wallets alone.

By the numbers:

👉 Read Chainalysis's 2026 Crypto Crime Report on sanctions evasion and state-backed crypto flows


Context

Sanctions evasion has moved from hidden bank accounts into blockchain-native operations that are faster, more distributed, and easier to scale across borders. The primary governance problem is no longer only tracing funds, but understanding which exchanges, brokers, stablecoins, and service providers create the access layer for illicit activity.

For IAM, PAM, and fraud practitioners, this is an identity and access problem as much as a financial crime problem. The same control questions that apply to privileged service accounts, offboarding, and third-party access apply here to exchanges, brokers, and managed wallet infrastructure, which is why the boundary between sanctions compliance and identity governance is tightening.


Key questions

Q: What breaks when sanctioned actors can keep using legitimate crypto service layers?

A: The main failure is not simply illicit ownership of funds, but retained access to conversion and settlement infrastructure after enforcement should have cut it off. When exchanges, brokers, or swap services remain reachable, sanctioned actors can repackage value, preserve liquidity, and continue operating under a new label. That is a lifecycle control failure, not just a detection problem.

Q: Why do stablecoins make sanctions enforcement harder for compliance teams?

A: Stablecoins reduce friction between jurisdictions, asset classes, and counterparties, which makes them attractive for both legitimate trade and sanctions evasion. Compliance teams then have to separate ordinary settlement activity from state-backed or proxy-linked flows using relationship data, not just transaction appearance. The problem is scale, speed, and reuse of the same rails for different intents.

Q: How do teams know whether intermediary risk is actually under control?

A: Look for measurable reduction in time-to-review, time-to-disable, and time-to-offboard high-risk counterparties. If a broker, exchange, or service provider can remain functionally reachable after a designation or escalation, the control is not working. Effective governance should show rapid revocation, clear ownership, and documented decision trails.

Q: Which frameworks are most relevant to sanctions-linked crypto governance?

A: NIST Cybersecurity Framework 2.0 is useful for structuring governance, monitoring, and response, while identity-oriented controls help formalise lifecycle management of high-risk relationships. For regulated environments, AML, KYC, and sanctions obligations should be connected to access review and third-party governance rather than treated as separate workstreams.


Technical breakdown

How sanctioned value moves through crypto service layers

Sanctioned activity rarely depends on a single wallet. It uses a service chain that can include exchanges, OTC brokers, stablecoins, bridges, and instant swap services to convert, move, and repackage value across jurisdictions. That makes the operational identity of the service provider central to the risk, because the abuse sits in the access path as much as in the asset itself. The transparency of blockchains helps investigators, but it does not stop reconstitution of the flow through new infrastructure. The real architectural challenge is that each service layer can reset visibility while preserving functional continuity.

Practical implication: Map every sanctioned or high-risk flow to the service accounts, approval paths, and offboarding controls that make it possible.

Why stablecoins change sanctions enforcement economics

Stablecoins give sanctioned actors liquidity, speed, and interoperability that traditional correspondent banking would not easily provide. In practice, they act like a settlement rail that can be re-used across different trade and financing contexts, including procurement and proxy funding. That reduces friction for the actor while increasing the volume and tempo of movements investigators must review. The shift matters because compliance teams are now dealing with industrialised transaction patterns rather than isolated laundering events. This is a scale problem, but it is also a control design problem rooted in how access to rails is granted and monitored.

Practical implication: Tie stablecoin exposure to policy, monitoring, and identity controls for counterparties and intermediaries.

The service-layer control gap behind state-backed crypto abuse

Service-layer sanctions evasion: the weak point is not always the wallet, but the exchange, broker, or infrastructure provider that enables conversion and concealment. Once sanctioned actors can access a compliant-looking service layer, they can blend illicit and licit activity, rebrand quickly, and maintain operational continuity after designations. That is why the same governance logic used for third-party access in enterprise IAM applies here: lifecycle control, monitoring, and timely deprovisioning determine whether access becomes durable. For practitioners, the lesson is to treat intermediary infrastructure as a governed identity surface.

Practical implication: Treat intermediaries as governed access points and require lifecycle controls for every service relationship.


Threat narrative

Attacker objective: The objective is to preserve cross-border value movement while hiding state-linked financial activity from sanctions enforcement.

  1. Entry occurs when sanctioned actors or proxies access exchanges, brokers, or instant swap services that provide conversion into mainstream crypto rails.
  2. Escalation follows as funds are moved through stablecoins, bridges, and rebranded services to obscure provenance and preserve liquidity.
  3. Impact is achieved when state-linked networks use the resulting infrastructure to finance operations, evade sanctions, or fund weapons and proxy activity.

NHI Mgmt Group analysis

State-backed crypto abuse has become a service-layer governance problem, not just a wallet problem. The report shows sanctions evasion operating through exchanges, brokers, bridges, and stablecoins at industrial scale. That changes the control boundary from transaction tracing alone to the governance of the entities that make those transactions possible. Practitioners should model intermediaries as part of the attack surface, not just the infrastructure around it.

Sanctions enforcement now depends on lifecycle control of access paths. When Grinex, A7A5, and related services absorb and redirect traffic, the relevant failure is not simply illicit ownership, but durable access to conversion and settlement rails after designation. That is analogous to identity programmes that miss offboarding or let third parties retain standing access. The field needs stronger lifecycle discipline for intermediaries, because delayed revocation creates economic continuity for bad actors.

Crypto transparency helps investigators, but it does not eliminate governance debt. On-chain visibility makes large flows easier to detect, yet visibility alone does not resolve who approved the relationship, how access was granted, or when it should have ended. The governance gap is familiar from IAM and PAM: if a high-risk actor can keep using a legitimate channel, detection arrives after the abuse is already operational. Practitioners should align sanctions controls with access governance rather than treat them as separate disciplines.

Cross-border financial crime is converging with identity assurance at the service-provider layer. Exchanges and brokers are effectively operational identities with permissions, trust relationships, and lifecycle obligations. That makes KYC, AML, counterparties, and infrastructure providers part of a single governance problem. For identity teams, the implication is to extend access review thinking to high-risk financial intermediaries and treat retained reachability as a material control failure.

State actors are proving that speed, not sophistication alone, drives sanctions evasion scale. The report’s examples show how quickly illicit actors reconstitute after disruption by shifting to new rails or rebranded services. That means governance teams should measure time-to-disable, time-to-detect, and time-to-couple enforcement across ecosystems. The practitioners who reduce those intervals will constrain the next wave of sanctioned activity.

What this signals

The programme-level signal is that sanctions compliance, fraud controls, and identity governance are converging around the same question: who can still reach a high-risk service after policy says they should not. That makes lifecycle discipline, ownership, and revocation speed the key measures of control effectiveness rather than the volume of alerts generated.

Intermediary reachability debt: persistent access to exchanges, brokers, and conversion services becomes a hidden liability when ownership or designation changes. Teams should treat that persistent reachability as a measurable control gap and track how quickly it is removed after escalation.

For organisations with exposure to crypto rails, the practical focus should be on counterparties, not just wallets. The most useful next step is to combine relationship inventories with governance controls already used in IAM, PAM, and third-party risk, then measure how long a compromised or designated service remains usable.


For practitioners

  • Model exchanges and brokers as privileged intermediaries Inventory every exchange, broker, bridge, and swap service that can move value for your organisation or regulated counterparties. Classify them by access risk, approval authority, and the speed at which they can re-route funds after sanctions action.
  • Shorten deprovisioning windows for high-risk counterparties Define a sanctions-triggered offboarding process that removes access to settlement rails, API connections, and managed wallet services immediately after designation or credible risk escalation. Use the same discipline you would apply to privileged third-party accounts.
  • Tie AML alerts to identity and relationship data Correlate transaction monitoring with counterparty ownership, approval chain, and service-provider lifecycle records so investigators can see who enabled the flow, not only where the flow moved. This is especially important where stablecoins and bridges obscure the original source.
  • Review standing access across crypto service providers Look for relationships where an intermediary retains persistent reachability to wallets, APIs, or settlement functions after the original business purpose has expired. Persistent reachability is often the control gap that lets sanctioned activity continue under a fresh label.
  • Align sanctions workflows with NIST control thinking Use NIST Cybersecurity Framework 2.0 and identity-oriented controls to formalise ownership, escalation, and revocation decisions for high-risk financial services. For broader identity governance, extend the same review logic to third-party access and privileged service relationships.

Key takeaways

  • Crypto sanctions evasion now behaves like a governed access problem, with exchanges, brokers, and bridges acting as the real control surface.
  • The report’s scale figures show that sanctioned activity is no longer marginal, which makes speed of revocation and lifecycle control central to enforcement.
  • Practitioners should connect sanctions workflows to access governance so that intermediary relationships are reviewed, disabled, and audited like any other privileged access path.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.OC-03The report centres on governance and sanctioned-activity risk across crypto service layers.
NIST SP 800-53 Rev 5AC-6Least privilege is relevant where intermediaries retain persistent access to value-moving rails.
MITRE ATT&CKTA0006 , Credential Access; TA0010 , ExfiltrationThe abuse pattern involves access to trusted rails and movement of value through them.
ISO/IEC 27001:2022A.5.19Supplier relationships are central because exchanges and brokers function as high-risk providers.
NIST AI RMFGOVERNAI is not the primary domain, so AI RMF is not relevant here.

Use CSF governance and monitoring functions to assign ownership for high-risk counterparties and conversion services.


Key terms

  • Sanctions evasion: Sanctions evasion is the deliberate movement of value or goods to avoid legal restrictions imposed on designated people, entities, or jurisdictions. In crypto markets, it often relies on speed, cross-border settlement, and intermediary services that make destination tracing harder without strong monitoring.
  • Stablecoin Rail: A stablecoin rail is the payment infrastructure used to move value using tokenised assets rather than traditional card or bank settlement. In governance terms, it shifts control from intermediary-heavy processing to wallet, key, and policy management, which creates a stronger need for privileged access oversight.
  • Service-Layer Risk: Service-layer risk is the exposure created when an intermediary platform, broker, or infrastructure provider enables abusive activity even if it does not own the underlying assets. In identity terms, it is a governed access problem: the right to use the service is often the real attack surface.

What's in the full report

Chainalysis's full report covers the operational detail this post intentionally leaves for the source:

  • Breakdowns of how specific sanctioned networks moved funds through A7A5, Grinex, and related intermediaries.
  • Regional detail on Iran, Russia, North Korea, and Southeast Asian scam ecosystems with transaction patterns and attribution context.
  • The report's case-by-case sanctions actions and the infrastructure providers targeted alongside wallets and exchanges.
  • Methodology notes on how Chainalysis calculated illicit volume and identified state-linked activity.

👉 The full Chainalysis report covers the A7A5 network, IRGC-linked flows, DPRK theft, and enforcement trends in detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and IAM fundamentals. It is designed for practitioners who need a common control language across identity, access, and lifecycle risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org