TL;DR: Sanctioned entities received 694% more value in 2025, pushing illicit transaction volume to a record $154 billion as states embedded crypto into trade settlement, procurement, and proxy financing, according to Chainalysis. The governance lesson is clear: enforcement now has to track service layers, not just wallets, because scale and speed have become operational features of state-backed abuse.
NHIMG editorial — based on content published by Chainalysis: 2026 Crypto Crime Report coverage of sanctions evasion and state-backed crypto activity
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when sanctioned actors can keep using legitimate crypto service layers?
A: The main failure is not simply illicit ownership of funds, but retained access to conversion and settlement infrastructure after enforcement should have cut it off.
Q: Why do stablecoins make sanctions enforcement harder for compliance teams?
A: Stablecoins reduce friction between jurisdictions, asset classes, and counterparties, which makes them attractive for both legitimate trade and sanctions evasion.
Q: How do teams know whether intermediary risk is actually under control?
A: Look for measurable reduction in time-to-review, time-to-disable, and time-to-offboard high-risk counterparties.
Practitioner guidance
- Model exchanges and brokers as privileged intermediaries Inventory every exchange, broker, bridge, and swap service that can move value for your organisation or regulated counterparties.
- Shorten deprovisioning windows for high-risk counterparties Define a sanctions-triggered offboarding process that removes access to settlement rails, API connections, and managed wallet services immediately after designation or credible risk escalation.
- Tie AML alerts to identity and relationship data Correlate transaction monitoring with counterparty ownership, approval chain, and service-provider lifecycle records so investigators can see who enabled the flow, not only where the flow moved.
What's in the full report
Chainalysis's full report covers the operational detail this post intentionally leaves for the source:
- Breakdowns of how specific sanctioned networks moved funds through A7A5, Grinex, and related intermediaries.
- Regional detail on Iran, Russia, North Korea, and Southeast Asian scam ecosystems with transaction patterns and attribution context.
- The report's case-by-case sanctions actions and the infrastructure providers targeted alongside wallets and exchanges.
- Methodology notes on how Chainalysis calculated illicit volume and identified state-linked activity.
👉 Read Chainalysis's 2026 Crypto Crime Report on sanctions evasion and state-backed crypto flows →
Sanctions evasion on-chain: what practitioners need to watch?
Explore further
State-backed crypto abuse has become a service-layer governance problem, not just a wallet problem. The report shows sanctions evasion operating through exchanges, brokers, bridges, and stablecoins at industrial scale. That changes the control boundary from transaction tracing alone to the governance of the entities that make those transactions possible. Practitioners should model intermediaries as part of the attack surface, not just the infrastructure around it.
A question worth separating out:
Q: Which frameworks are most relevant to sanctions-linked crypto governance?
A: NIST Cybersecurity Framework 2.0 is useful for structuring governance, monitoring, and response, while identity-oriented controls help formalise lifecycle management of high-risk relationships. For regulated environments, AML, KYC, and sanctions obligations should be connected to access review and third-party governance rather than treated as separate workstreams.
👉 Read our full editorial: Crypto sanctions evasion is scaling into state infrastructure