Illegal crypto addresses took in at least $154B in 2025, Chainalysis finds

Chainalysis has released a report revealing that illegal crypto addresses received a minimum of $154 billion in 2025. These numbers were driven by state-sponsored actors, including DPRK‑linked hackers, who facilitated an attack that stole $2 billion.  

The study described 2025 as the start of the third wave of changes in cybercrime. The first wave, which was from 2009 to 2019, was made up of malicious niche hackers. The second wave, which lasted from 2020 to 2024, saw the professionalization of illicit organizations providing on-chain infrastructure for criminal groups. 

Now, the third wave introduced nation-states moving into space at scale to evade international sanctions. This wave achieved a 162% increase year-over-year (YoY), which was also driven by a whopping 694% increase in the value received by sanctioned entities. 

However, the report states that even if the value received by sanctioned entities were flat YoY, 2025 would still mark a record year for crypto crime, as activity increased across most illicit categories.

Stablecoins amassed 84% of all illicit transaction volume

North Korean hackers had their most destructive year yet, stealing $2 billion in 2025 alone. The February Bybit exploit accounted for nearly $1.5 billion of that total, making it the largest crypto heist in crypto history. North Korean hackers are known to prioritize stablecoins with high liquidity and global exchange access, mainly USDT, USDC, and occasionally BUSD.

Besides the North Koreans, Russia indirectly had a hand in the illicit transaction through its ruble-backed A7A5 stablecoin, which facilitated over $93.3 billion in transactions in less than a year. 

This drove stablecoins to take the trophy home for amassing 84% of all illicit transaction volume. On the other hand, Bitcoin has shrunk to approximately 7%. 5 years ago, these numbers were reversed; Bitcoin accounted for roughly 70% of illicit transactions, while stablecoins accounted for just 15%. 

According to Chainalysis, this shift is due to stablecoins’ practical advantages, including ease of cross-border transfers, lower volatility, and broader utility. 

Led by Tether’s USDT and Circle’s USDC, the total market value of dollar-pegged tokens has climbed to about $317.8 billion. A7A5’s market cap is around $500 million, which makes it one of the largest non‑US‑dollar‑pegged stablecoins.

China and Iran maximize on money laundering

The report talks about how Chinese Money Laundering Networks (CMLNs) have become a major player in the illegal ecosystem. These networks now offer “laundering-as-a-service” and other specialized criminal infrastructure based on the frameworks set up by companies like Huione Guarantee.

These full-service operations support everything from fraud and scams to laundering North Korean hack proceeds, sanctions evasion, and terrorist financing.

Iran made similar gains in using crypto. The country’s Islamic Revolutionary Guard Corps and its proxy network facilitated more than $2 billion in money laundering, illicit oil sales, and the procurement of arms on-chain.  According to the report, terrorist organizations aligned with Iran, including Lebanese Hezbollah, Hamas, and the Houthis, are using crypto at unprecedented scales.

Chainalysis also warns of growing connections between on-chain activity and violent crime. Human trafficking operations have increasingly leveraged cryptocurrency, while “physical coercion attacks” in which criminals use violence to force victims to transfer assets have risen sharply, often timed to coincide with crypto price peaks.

This year, Cryptopolitan has already reported on crypto thieves who terrorized a small investor at home with brutal invasions. The criminal used a gun to demand phone, laptop, and wallet access.

Since 2020, more than 215 physical crypto attacks have been recorded worldwide, with 2025 nearly doubling the prior year. Security tracker Jameson Lopp has said the real number is higher because many victims stay silent.

If you're reading this, you’re already ahead. Stay there with our newsletter.