Chainalysis Crypto Crime Report 2026: $154 Billion in Illicit Crypto Explained

What Is the Chainalysis Crypto Crime Report?

The Chainalysis Crypto Crime Report is the most widely cited annual analysis of illicit activity in the cryptocurrency ecosystem. Published by Chainalysis, the leading blockchain analytics firm, it tracks how criminals, nation-states, and illicit organizations use cryptocurrency — and, crucially, how they get caught.

Since its inception, the report has become required reading for regulators, compliance officers, law enforcement agencies, and investors worldwide. The 2026 edition, covering data from 2025, reveals a crypto crime landscape that has fundamentally shifted from lone hackers to state-sponsored operations.

For anyone evaluating cryptocurrency as an investment or business tool, this report provides the most authoritative data on what risks actually exist — and what protections the blockchain’s inherent transparency provides. You can explore the full report as an interactive experience in our library.

The Headline Numbers: $154 Billion in Crypto Crime Statistics

The 2026 Chainalysis Crypto Crime Report delivers a staggering headline: illicit cryptocurrency addresses received at least $154 billion in 2025. That represents a 162% increase year-over-year, dwarfing the 2024 figure of $57.2 billion (itself revised upward from the initially reported $40.9 billion).

But context transforms this number from alarming to nuanced. Chainalysis estimates that illicit activity still represents less than 1% of all attributed cryptocurrency transaction volume. The vast majority of on-chain activity remains entirely legitimate.

The 162% spike is overwhelmingly driven by one factor: a 694% increase in sanctioned entity activity. Russia’s launch of the A7A5 ruble-backed token alone accounted for $93.3 billion. Strip out sanctions evasion, and 2025 would still set a record — but a far less dramatic one.

Chainalysis also emphasizes that these are lower-bound estimates. Historical revisions consistently push figures upward as more illicit addresses are identified. The 2024 estimate, for instance, grew from $40.9B to $57.2B within 12 months.

Why the Numbers Keep Growing

Three structural forces explain the persistent growth in crypto crime statistics:

1. Professionalization — Illicit organizations now operate full-stack on-chain infrastructure, offering laundering-as-a-service and specialized tools
2. Nation-state adoption — Countries under sanctions (Russia, North Korea, Iran) have shifted from tentative experiments to industrial-scale crypto operations
3. AI enablement — Artificial intelligence has dramatically lowered the cost and increased the effectiveness of scams, phishing, and social engineering

Nation-State Threats: When Countries Become the Hackers

The most significant shift in the 2026 Chainalysis crypto crime report is the rise of nation-state actors as the dominant force in cryptocurrency crime. This isn’t garage-level hacking — it’s geopolitical warfare conducted on-chain.

North Korea: $2 Billion Stolen, $6.75 Billion Cumulative

The Democratic People’s Republic of Korea (DPRK) stole $2.02 billion in cryptocurrency in 2025 — a 51% increase over 2024 — pushing their all-time total to $6.75 billion. North Korean hackers accounted for a record 76% of all service compromises.

Their tactics have evolved beyond traditional hacking. DPRK operatives now embed IT workers inside crypto companies, gaining privileged access before executing high-impact thefts. They’ve also begun impersonating recruiters and investors for major Web3 firms, using fake hiring processes and “due diligence” meetings to harvest credentials.

“North Korean threat actors are increasingly achieving outsized results by embedding IT workers inside crypto services to gain privileged access and enable high-impact compromises.” — Chainalysis 2026 Report

The crown jewel of their 2025 campaign: the Bybit exchange hack in February, netting $1.5 billion in a single attack — the largest digital heist in cryptocurrency history.

Russia: The A7A5 Token and $93 Billion in Sanctions Evasion

Russia launched the A7A5 ruble-backed token in February 2025 as a systematic tool for sanctions evasion. In less than one year, the token facilitated $93.3 billion in transactions — transforming cryptocurrency from a niche sanctions workaround into a core pillar of Russia’s parallel financial infrastructure.

Sanctioned entities collectively moved $104 billion in cryptocurrency throughout 2025, a 694% surge that reflects how nation-states have integrated digital assets into their financial operations at scale.

Iran: $2+ Billion Through Proxy Networks

Iran’s proxy networks — including Hezbollah, Hamas, and the Houthis — used cryptocurrency to facilitate money laundering, illicit oil sales, and arms procurement to the tune of $2+ billion through confirmed wallets identified in sanctions designations. These are not small, experimental operations; they represent systematic adoption at military scale.

Stolen Funds: $3.4 Billion and the Bybit Mega-Hack

The cryptocurrency industry witnessed over $3.4 billion in theft in 2025. The data reveals an increasingly extreme distribution: the top three hacks accounted for 69% of all losses, and the ratio between the largest hack and the median incident crossed the 1,000x threshold for the first time.

A notable positive: despite increased Total Value Locked (TVL) in DeFi, hack losses from decentralized finance remained suppressed in 2024-2025, suggesting that improved security practices are making a meaningful difference. Individual wallet compromises surged to 158,000 incidents, but total value stolen from individuals actually declined from $1.5 billion to $713 million.

The threat is increasingly concentrated in centralized services. Exchanges and custodians, despite institutional security teams, remain vulnerable to sophisticated attacks on private key infrastructure and signing processes. Centralized service compromises accounted for 88% of losses in Q1 2025.

Scams and Fraud: AI Supercharges a $17 Billion Industry

Chainalysis estimates that $17 billion was stolen through crypto scams and fraud in 2025. On-chain data confirms at least $14 billion in direct scam inflows, with the remainder projected based on historical revision patterns.

The defining trend is the industrialization of scams through artificial intelligence. AI-enabled scams were 4.5 times more profitable than traditional methods. Impersonation scams — where criminals pose as legitimate organizations or authority figures — grew a staggering 1,400% year-over-year.

The Rise of Industrial-Scale Fraud

Several factors converged to make 2025 a record year for crypto scams:

• AI deepfakes — Scammers create convincing video impersonations of executives, government officials, and crypto influencers
• Phishing-as-a-Service — Chinese cybercriminal group “Darcula” offers turnkey phishing tools with hundreds of templates for fake government websites
• Pig butchering at scale — Romance scams run from forced labor compounds in Cambodia, Myanmar, and other Southeast Asian countries
• Average payment surge — The average scam payment jumped from $782 to $2,764 (253% increase), indicating higher-value victims

Law enforcement scored significant victories against scam operations. The UK recovered 61,000 bitcoin, and a $15 billion seizure targeted the Prince Group criminal organization, whose CEO was sanctioned for facilitating pig butchering scams through cryptocurrency networks. These recoveries demonstrate that blockchain transparency gives investigators tools that simply don’t exist in traditional financial crime.

For investors seeking to understand how these scam patterns work, our Interactive Library offers detailed, navigable analyses of major financial reports and research documents.

Ransomware: Payments Decline but the Threat Evolves

In a rare bright spot, ransomware payments declined significantly. Chainalysis tracked approximately $820 million in payments to ransomware actors in 2025 — though this figure is expected to rise to around $900 million as more incidents are attributed. Either way, it represents a 35% decrease from 2023’s record $1.25 billion.

Payment activity slowed particularly after July 2024, declining approximately 34.9% in the second half. The decline reflects several factors:

• Better defenses — Organizations invested heavily in backup systems, incident response plans, and cyber insurance
• Reduced willingness to pay — Public sector and enterprise victims increasingly refuse ransom demands
• Law enforcement disruptions — Major ransomware groups faced takedowns and arrests
• Insurance requirements — Cyber insurance policies now mandate specific security practices

Despite lower payments, the number of ransomware attacks reached record levels. Attackers are targeting more organizations but extracting less per incident — a pattern that suggests the defensive ecosystem is working, even as the threat persists.

The Stablecoin Paradox: 84% of Illicit Volume, But Easier to Seize

One of the most important shifts revealed in the Chainalysis crypto crime report is the dominance of stablecoins in illicit transactions. Stablecoins now account for 84% of all illicit crypto transaction volume, up from 63% in 2024 and a near-complete reversal from the Bitcoin-dominated landscape of 2020-2021.

This mirrors the legitimate market, where stablecoins occupy a growing share of all crypto activity due to their practical benefits: cross-border transferability, lower volatility, and broader utility. Criminals prefer stablecoins for the same reasons businesses do.

But here’s the paradox: stablecoins are arguably worse for criminals than Bitcoin. Why? Because stablecoin issuers like Tether and Circle maintain centralized control and can freeze addresses associated with illicit activity. Tether has frozen wallets linked to scams, terrorist financing, and sanctions evasion.

This creates a unique enforcement advantage. While Bitcoin transactions are irreversible once confirmed, stablecoin balances can be frozen by issuers — making the very asset criminals prefer also the most seizeable. This dynamic has significant implications for upcoming stablecoin regulation under frameworks like the EU’s MiCA and proposed US legislation.

Blockchain Forensics: Why Crypto Is More Traceable Than Cash

Perhaps the most counterintuitive takeaway from the Chainalysis crypto crime report is this: cryptocurrency is far more traceable than traditional finance. Every transaction is permanently recorded on a public ledger. Every wallet address leaves a trail. This is fundamentally different from cash, where the UN Office on Drugs and Crime estimates that $2-5 trillion is laundered annually with a recovery rate below 1%.

How Blockchain Analytics Works

Chainalysis and similar firms use several techniques to trace illicit crypto:

• Cluster analysis — Grouping addresses controlled by the same entity using transaction patterns and known address linkages
• Heuristic analysis — AI-powered pattern recognition that identifies suspicious behavior even from unknown addresses
• Chainalysis Signals — Proprietary data that categorizes unknown addresses by suspected illicit type with confidence levels
• Cross-chain tracing — Following funds as they move between different blockchains through bridges and swap services

The 2025 results speak for themselves. Law enforcement agencies worldwide achieved record-breaking seizures. The DPRK’s 45-day laundering cycle following major thefts — moving funds through Chinese-language services, bridge protocols, and mixing tools — is now well-documented and increasingly disrupted.

Chinese Money Laundering Networks: A New Threat

The 2026 report identifies Chinese Money Laundering Networks (CMLNs) as an emerging dominant force. Building on the Huione Guarantee framework, these networks have created full-service criminal enterprises offering laundering-as-a-service for everything from fraud proceeds to North Korean hack funds and terrorist financing.

The professionalization is striking. These aren’t ad hoc services but sophisticated platforms with infrastructure designed to withstand takedowns, abuse complaints, and sanctions enforcement.

What the Crypto Crime Report Means for Investors

For cryptocurrency investors and businesses, the Chainalysis crypto crime report delivers a nuanced message. Yes, illicit activity is growing in absolute terms. But several factors provide important context:

1. Less than 1% is illicit — The overwhelming majority of cryptocurrency activity is legitimate. Crypto’s crime share is comparable to or lower than traditional finance
2. Transparency is a feature — Unlike cash or traditional banking, every crypto transaction is permanently traceable. This inherent transparency enables enforcement at a level impossible in traditional finance
3. Security is improving — DeFi hack losses remained suppressed despite growing TVL, and individual theft values declined. The ecosystem is learning from past failures
4. Regulation is maturing — The EU’s MiCA framework, proposed US stablecoin legislation, and international FATF guidelines are creating clearer compliance standards
5. Enforcement is scaling — Record seizures in 2025 demonstrate that blockchain forensics tools are giving law enforcement unprecedented capabilities

The report also underscores the importance of individual security practices. Using reputable exchanges with strong KYC processes, enabling hardware wallets for significant holdings, and remaining vigilant against social engineering attacks remain the most effective personal defenses.

For a deeper dive into how blockchain technology and financial reports shape the investment landscape, explore the full Libertify Interactive Library — where complex documents become navigable, visual experiences.