TL;DR: FATF’s new asset recovery guidance says more than 80% of jurisdictions are still operating at low or moderate effectiveness, while Chainalysis says over $75 billion in on-chain balances is linked to criminal activity, underscoring a large recovery gap and a growing role for virtual assets. The practical shift is from ad hoc seizure to lifecycle governance, tracing, custody, and liquidation controls.
At a glance
What this is: FATF has released asset recovery guidance that treats virtual assets as a distinct recovery class and emphasises tracing, seizure, custody, and phased liquidation.
Why it matters: For IAM and security practitioners, this matters because the same lifecycle discipline used for privileged access and credentials is now being applied to virtual assets, where chain-of-custody, control handoff, and operational evidence determine recovery outcomes.
By the numbers:
- FATF assessments show that more than 80% of jurisdictions are operating at low or moderate levels of effectiveness in asset recovery.
- Our research shows a substantial VA seizure opportunity: more than $75 billion in on-chain balances are linked to criminal activity overall.
- Across the sprints, partners disseminated more than 7,000 leads tied to roughly $162 million in losses.
👉 Read Chainalysis's guidance on asset recovery and virtual asset seizures
Context
Virtual asset recovery is no longer a narrow law-enforcement specialty. FATF is pushing jurisdictions to treat seizure, custody, valuation, and disposal as an end-to-end control problem, with virtual assets handled as a distinct class rather than folded into generic asset forfeiture processes.
The identity and access angle is indirect but real: the same governance questions that surround privileged credentials, custodianship, and controlled transfer now apply to wallet keys, exchange accounts, and stablecoin freeze mechanisms. That makes recovery more dependent on process integrity and evidentiary discipline than on any single tool.
FATF’s starting point is also a typical one for many jurisdictions: capability is uneven, training is inconsistent, and operational procedures often lag the asset types investigators actually encounter.
Key questions
Q: What breaks when virtual asset recovery is treated like traditional asset seizure?
A: Recovery breaks when authorities assume digital control works like physical possession. Virtual assets depend on keys, custodians, issuers, and blockchain evidence, so the seizure process must preserve chain of custody, prove control transfer, and anticipate cyber risk during holding and liquidation.
Q: Why do virtual assets require different recovery procedures than other seized property?
A: Virtual assets can be moved, frozen, burned, or traced through technical mechanisms that do not exist for most physical assets. That makes governance, evidence handling, and control authority central to successful recovery, especially when multiple parties can influence asset access.
Q: How do agencies know whether blockchain analytics is working?
A: Blockchain analytics is working when it shortens time to trace, supports defensible evidentiary records, and leads to freezes, seizures, or recoveries that survive legal scrutiny. If the output cannot be tied to a repeatable method, it is insight, not operational evidence.
Q: Who is accountable when seized digital assets are moved without authorisation?
A: Accountability usually sits with the organisation that granted custody authority and failed to scope it tightly enough. Where law enforcement, exchanges, or custodians hold high-value assets, policy must define who can access, who can transfer, and who reviews every movement.
Technical breakdown
Treat virtual assets as a distinct recovery class
Virtual assets create a different recovery model because control is mediated by cryptographic keys, exchange custody, and sometimes issuer-level freeze functions. That means identification, seizure, valuation, and disposal all need explicit procedures instead of being borrowed from traditional asset recovery playbooks. In practice, the question is not simply whether the asset exists, but who can prove control over it, how that control is transferred, and what evidence supports the transfer chain. Practical implication: jurisdictions need casework procedures that map VA control points to authority, custody, and evidence handling.
Practical implication: Build VA-specific seizure and custody procedures that document control transfer from discovery through liquidation.
Why blockchain analytics changes seizure timing
Blockchain analytics turns public ledger data into an investigative signal by linking addresses, tracing flows, and clustering related activity. Because transactions are immutable and time-stamped, investigators can often move from suspicion to traceability faster than in many traditional asset cases, provided they have trained staff and admissible methods. The article also notes that court acceptance matters, because analytics only helps if the resulting evidence survives challenge. Practical implication: treat blockchain tracing as both an investigative method and an evidentiary workflow, not as a standalone data source.
Practical implication: Align tracing methods with evidentiary standards before using them in seizure decisions or court submissions.
Custody and liquidation are part of security, not afterthoughts
Once virtual assets are seized, they remain exposed to cyber theft, fraud, volatility, and operational loss. Cold storage, vetted custodians, and documented handling are not administrative extras. They are the controls that preserve the value of the seizure while authorities decide whether to hold, convert, or liquidate. Centralised stablecoin mechanisms add another layer because freeze or burn functionality can assist recovery when legal authority exists. Practical implication: recovery teams need custody controls and liquidation rules before assets are transferred, not after.
Practical implication: Put cold storage, custodian vetting, and phased liquidation rules in place before seized assets move into government control.
Threat narrative
Attacker objective: The attacker or criminal actor seeks to preserve, move, and ultimately realise illicit value before authorities can trace, freeze, or seize it.
- Entry occurs when criminals place value into virtual assets or stablecoins that can later be traced, frozen, or seized through wallet access, exchange custody, or issuer controls.
- Escalation happens when investigators build a control picture across addresses, custodial accounts, and on-chain flows, turning a transaction graph into actionable evidence.
- Impact is the recovery, freezing, or liquidation of illicit assets, alongside disruption of the criminal financial network that controlled them.
NHI Mgmt Group analysis
Virtual asset recovery is becoming an identity-and-control problem, not just a legal one. FATF’s guidance shows that recovery outcomes now depend on who can prove control over keys, custodians, and transfer authority. That is the same governance question identity teams already face with privileged access and delegated control, except the asset here is financial value rather than system access. Practitioners should recognise the overlap: control without traceability is not recovery-ready.
First-contact capability is the real bottleneck in virtual asset cases. The guidance makes clear that officers and investigators need to recognise wallets, seed phrases, exchange accounts, and related evidence immediately. In governance terms, this is a lifecycle failure, not a tooling failure, because the wrong first touch can destroy chain of custody or delay freezing opportunities. The practitioner conclusion is simple: readiness begins before the seizure, not during it.
Blockchain analytics is now part of operational evidence management. FATF’s emphasis on tracing and court acceptance means authorities need repeatable methods, not just software output. That mirrors how identity and access teams should think about logs, attestations, and control evidence under NIST-CSF and NIST SP 800-53. The field is moving toward evidence-backed recovery, where the quality of the control record matters as much as the control itself. Practitioners should treat analytics outputs as governed evidence.
Phased liquidation is a governance control, not just a market tactic. FATF’s warning about flooding the market highlights that disposal can destroy value if handled poorly. That introduces a practical distinction between seizure success and recovery success: holding an asset securely is not the same as realising its value without operational loss. For practitioners, the lesson is to govern liquidation as a controlled workflow with explicit thresholds and approvals.
Seizure lifecycle integrity is the named concept this guidance sharpens. The article defines a recovery model that fails whenever identification, custody, and disposal are treated as separate tasks with loose handoffs. That is a familiar governance pattern in identity security as well: once the lifecycle is fragmented, accountability becomes ambiguous and control strength falls apart. The practitioner conclusion is to manage the full lifecycle as one continuous control chain.
What this signals
Seizure lifecycle governance is the dominant signal for practitioners: the more an asset depends on traceable control, the more your operating model needs explicit ownership, evidence capture, and handoff discipline. The same logic applies to privileged identities and high-risk credentials, where recovery or revocation is only as strong as the lifecycle records behind it.
For teams that already use NIST Cybersecurity Framework 2.0 as an organising model, the practical move is to treat seizure readiness as a govern-identify-protect problem rather than a one-off investigation task. That means mapping control points, custodial dependencies, and disposal authority before a case begins, not after the asset is already in motion.
For practitioners
- Map the full VA seizure lifecycle Document how your agency or institution will move from first contact to tracing, freezing, custody, valuation, and phased liquidation. Assign named owners for each step and require evidence capture at every handoff.
- Train first responders on VA artefacts Include hardware wallets, seed phrases, exchange accounts, wallet apps, and stablecoin controls in search and seizure training so investigators can recognise recoverable assets before evidence is lost.
- Adopt blockchain analytics as an evidentiary workflow Use tracing methods that can be defended in court, with documented clustering logic, chain-of-custody records, and reviewable assumptions for every major seizure action.
- Pre-approve custody and liquidation controls Establish cold storage requirements, vetted custodians, and phased liquidation thresholds before assets enter government or corporate control, so value is not lost during holding or disposal.
Key takeaways
- FATF is reframing virtual asset recovery as a lifecycle control problem, where identification, custody, and liquidation all need explicit governance.
- The scale is material, with more than 80% of jurisdictions still at low or moderate effectiveness and more than $75 billion in criminal on-chain balances identified in Chainalysis research.
- Authorities that want better recovery outcomes need first-contact training, defensible blockchain analytics, and custody controls designed before seizure happens.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access governance maps to control over wallet keys and custodial accounts. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege matters when multiple roles can influence seizure and liquidation. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0010 , Exfiltration | Key theft and asset movement align with credential access and exfiltration tactics. |
| CIS Controls v8 | CIS-5 , Account Management | Account and key ownership need disciplined lifecycle control in recovery workflows. |
Maintain named ownership for wallet, exchange, and custody accounts and remove stale access immediately.
Key terms
- Virtual Asset Recovery: Virtual asset recovery is the process of identifying, tracing, seizing, managing, and disposing of digital assets linked to criminal activity or legal dispute. It requires both legal authority and technical control over keys, custodians, and transaction evidence.
- Blockchain Analytics: Blockchain analytics is the use of transaction tracing, clustering, and attribution methods to interpret activity recorded on public ledgers. In recovery work, it supports asset location, evidentiary development, and operational decisions about freezing or seizure.
- Chain of Custody: Chain of custody is the documented record showing who handled evidence, when it was handled, and what changed during that handling. For virtual assets, it is critical because control can shift through keys, wallets, and custodial systems without leaving physical traces.
- Phased Liquidation: Phased liquidation is the controlled sale or conversion of seized assets in stages rather than all at once. It reduces market disruption and value loss, especially for volatile or illiquid virtual assets that can be devalued by sudden large-scale disposal.
What's in the full article
Chainalysis's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step virtual asset recovery recommendations for law enforcement and policymakers who need implementation detail.
- Examples of successful cryptocurrency recoveries that show how tracing and coordination work in practice.
- Operational guidance on handling hardware wallets, exchange accounts, and stablecoin freeze mechanisms.
- Chainalysis's view on real-time public-private partnerships for crypto crime response.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It helps practitioners build the lifecycle discipline needed to govern high-risk identities and related control points across complex environments.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org