By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ChainalysisPublished December 30, 2025

TL;DR: IRS-CI says it identified more than $10 billion in financial crime, executed over 1,400 warrants, and seized hundreds of millions of dollars in assets last year, while also stressing that cryptocurrency cases increasingly intersect with AI-enabled analysis and global partnerships, according to Chainalysis. The governance lesson is that financial crime now depends on identity, custody, and traceability controls as much as on traditional investigative reach.


At a glance

What this is: This is a Chainalysis podcast preview of IRS-CI’s annual report and crypto enforcement work, highlighting scale, casework, and the growing role of AI in investigations.

Why it matters: It matters because fraud, money laundering, and crypto theft increasingly rely on weak identity, custody, and access controls, which affects how IAM, PAM, and verification teams think about evidence, privilege, and digital asset handling.

By the numbers:

👉 Read Chainalysis’s preview of IRS-CI’s cryptocurrency investigations and annual report


Context

The core issue is not just crypto crime volume, but how financial investigations now depend on tracing digital value across wallets, exchanges, and cross-border networks. That puts a premium on evidence integrity, custody control, and the ability to correlate identity signals with transaction behavior.

For identity and security teams, this is a reminder that blockchain investigations still hinge on access governance. Whether the problem is stolen funds, sanctioned actors, or laundering networks, the operational question is who controlled the keys, who could move assets, and how quickly those access paths can be proven or interrupted.


Key questions

Q: What breaks when crypto asset control is not tied to a verified identity or custody record?

A: Investigations stall when teams can see wallet movement but cannot prove who controlled the private key or account at the critical moment. Without custody linkage, recovery actions become fragile, legal evidence weakens, and offenders may restore access after an apparent seizure. Durable attribution is as important as transaction visibility.

Q: Why do AI chat tools create risk for identity and access teams?

A: They create risk because users may rely on plausible but unverified output when making identity, access, or security decisions. That can lead to bad approvals, weak guidance, or sensitive data disclosure. The control problem is trust discipline, not just model quality.

Q: How do security teams know whether crypto monitoring is actually helping investigations?

A: Look for whether analysts can trace funds from transaction data to a defensible control owner, not just whether they can see the chain. Strong programmes reduce time to attribution, preserve chain of custody, and can show which accounts, devices, and operators were involved.

Q: Who is accountable when seized digital assets are moved without authorisation?

A: Accountability usually sits with the organisation that granted custody authority and failed to scope it tightly enough. Where law enforcement, exchanges, or custodians hold high-value assets, policy must define who can access, who can transfer, and who reviews every movement.


Technical breakdown

Blockchain tracing depends on custody and attribution, not just transaction visibility

Cryptocurrency ledgers are public, but public visibility does not equal accountability. Investigators still need to connect wallet activity to real-world entities through exchange records, device seizures, clustering heuristics, and operational mistakes made by the actors. In practice, the hard part is not seeing the movement of funds, but establishing who controlled the keys at each step and what supporting evidence survives legal scrutiny.

Practical implication: Treat wallet attribution as an evidence-governance problem and preserve chain-of-custody controls for every seized key, device, and account.

Crypto seizure workflows rely on privileged access to private keys and devices

A seizure succeeds only if investigators can obtain and safely use the private keys, hardware wallets, or exchange access needed to transfer assets before the subject can reconstitute control. That means operational security around devices, credentials, and transfer mechanisms is central to the work. The risk is similar to any high-value NHI scenario: a single exposed credential or missed access path can restore the adversary’s control.

Practical implication: Map every asset-holding system to privileged access paths and remove standing access that could let an offender reclaim funds after intervention.

AI is becoming an investigation amplifier and an abuse multiplier

The article points to AI as a tool for both defenders and offenders. For investigators, AI can help sort large volumes of transaction data, detect patterns, and accelerate link analysis. For criminals, the same capabilities can improve fraud scale, obfuscation, and targeting. This creates a governance challenge around model use, data quality, and the identity of systems that access sensitive investigative or financial data.

Practical implication: Classify AI tools used in investigations and financial operations as governed systems with explicit access boundaries, logging, and approval controls.


Threat narrative

Attacker objective: The attacker wants to move criminal proceeds beyond traceable control, convert them, and make recovery or prosecution materially harder.

  1. Entry begins with illicit proceeds moving through cryptocurrency wallets, darknet markets, or exchange accounts that hide the real beneficiary behind layered transactions.
  2. Escalation occurs when criminals use stolen private keys, compromised exchange access, or operational mistakes to expand control over funds and related infrastructure.
  3. Impact is realised through laundering, asset conversion, and cross-border movement that makes recovery and attribution slower and more resource-intensive.

NHI Mgmt Group analysis

Blockchain crime is now an identity and custody problem as much as a financial one. The article shows that investigators do not just follow money, they establish who had control of keys, devices, and exchange accounts. That makes access governance, evidence integrity, and privilege boundaries core to enforcement outcomes. For practitioners, the lesson is that crypto risk cannot be managed with transaction monitoring alone; custody governance matters too.

AI is reshaping both crypto investigations and crypto-enabled fraud. The same technology that helps law enforcement analyse large transaction sets also helps criminals scale obfuscation and social engineering. That means AI governance and financial crime controls are converging, especially where investigative tooling touches sensitive data. For practitioners, model access, data provenance, and system-level auditability need to be treated as part of the security control plane.

Digital asset seizures expose a standing-privilege failure mode that many organisations still overlook. If an adversary can recreate wallet access after initial intervention, the control gap is not visibility but durable privilege removal. This is where NHI governance intersects with asset custody: keys, recovery paths, and transfer permissions behave like privileged identities. For practitioners, every recovery or seizure workflow should be designed as a privilege revocation exercise, not a one-time transaction.

Cross-border financial crime increasingly rewards teams that can combine enforcement, analytics, and identity evidence. IRS-CI’s results reflect operational coordination more than any single tool or dataset. In broader security programmes, that points to a model where fraud, AML, and IAM teams need shared telemetry and common escalation paths. For practitioners, the future state is not isolated monitoring, but joined-up governance across identity, payment, and investigation workflows.

Named concept: custody-to-control linkage. This is the discipline of proving who controlled a digital asset at each step and whether that control was legitimate, temporary, or stolen. The concept matters because crypto investigations fail when organisations cannot connect wallet movement to a verified identity or custody event. For practitioners, the control objective is to shorten the gap between asset movement and attributable control evidence.

What this signals

Custody-to-control linkage is likely to matter more across financial crime, investigations, and digital asset operations as AI accelerates both analysis and abuse. Teams that can connect wallet movement to a verified identity event will be able to respond faster than teams relying on transaction visibility alone.

For identity programmes, the practical shift is toward shared telemetry between IAM, fraud, AML, and investigations. If a wallet, account, or device can move value, it should be governed with the same seriousness as a privileged administrative pathway.

The article also reinforces a broader governance pattern: the faster an adversary can exercise control, the more important near-real-time revocation and recovery become. That is consistent with secrets management research showing how quickly exposed credentials can be abused in the wild.


For practitioners

  • Map private-key custody to privileged access Document which people, systems, and emergency processes can move funds or export keys. Remove shared access paths and require approvals for any recovery action that can reconstitute control.
  • Treat seizure and recovery workflows as revocation events Build procedures that prove the original holder cannot regain access after intervention, including device handling, exchange coordination, and post-seizure validation of all remaining recovery paths.
  • Add identity evidence to crypto monitoring Pair wallet analytics with device, account, and operator attribution so investigations can move from transaction tracing to defensible control mapping. Preserve the evidence trail needed for legal and audit review.

Key takeaways

  • Crypto investigations are really custody and identity investigations, because proving who controlled the keys is central to attribution and recovery.
  • IRS-CI’s scale shows that financial crime response now depends on combining transaction analytics, legal process, and privileged access control.
  • Security teams should treat wallet custody, recovery paths, and seizure workflows as revocation-sensitive identity controls, not just financial operations.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0040 , ImpactThe article discusses theft, seizure, and abuse of digital access paths tied to financial crime.
NIST CSF 2.0PR.AC-1Crypto custody and investigation workflows depend on access control and identity proofing.
NIST SP 800-53 Rev 5AC-6Least privilege is central to controlling who can reconstitute or transfer digital assets.
ISO/IEC 27001:2022A.5.15Access control governance applies directly to wallet, device, and exchange permissions.

Map wallet compromise and recovery failures to credential access and impact tactics, then tighten revocation and seizure controls.


Key terms

  • Custody-to-control linkage: The process of proving which person, system, or account controlled a digital asset at a given moment. In crypto investigations, this linkage is essential because transaction visibility alone does not establish legitimacy, attribution, or whether the control was temporary, delegated, or stolen.
  • Privileged Recovery Access: Privileged recovery access is the administrative path used to restore services, recover data or repair critical systems after disruption. It is especially sensitive because attackers who reach recovery credentials can disable containment, protect their persistence or worsen ransomware impact by controlling the remediation path.
  • Evidence Integrity: Evidence integrity is the degree to which audit proof accurately reflects what the control saw and did at the time. For UARs, that means reviewers, entitlement snapshots, approvals, and revocations are captured together so auditors do not have to reconstruct the control from scattered records.
  • Transaction attribution: The act of connecting on-chain movement to a real-world actor, organisation, or account with sufficient confidence for investigation or enforcement. It combines blockchain analytics with off-chain identity evidence such as exchange records, device data, and operational mistakes.

What's in the full article

Chainalysis's full podcast preview covers the operational detail this post intentionally leaves for the source:

  • Episode discussion of IRS-CI’s working methods around cryptocurrency tracing and case progression
  • Direct commentary from Trevor McAleenan on seizures, training, and investigation planning
  • Additional references to major crypto cases, including Silk Road and Bitfinex-linked enforcement work
  • Broader discussion of AI's role in investigative efficiency and future crimefighting

👉 The full Chainalysis episode preview includes the interview, case references, and the discussion on AI in enforcement.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and machine identity security. It is built for practitioners who need to connect access control, lifecycle management, and operational risk across identity programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org