Crypto Crime Trends 2025: Chainalysis Report Key Findings

Understanding the Chainalysis 2025 Crypto Crime Report

The Chainalysis 2025 Crypto Crime Trends Report provides one of the most comprehensive analyses of illicit cryptocurrency activity available today. As the blockchain analytics industry leader, Chainalysis tracks on-chain fund flows to identify and categorize criminal operations spanning stolen funds, darknet marketplaces, ransomware payments, sanctioned entities, and fraud schemes. The 2025 edition reveals a cryptocurrency crime landscape that is not only growing in absolute volume but becoming dramatically more sophisticated, diversified, and professionalized.

For investors, compliance professionals, and policymakers, the report highlights a critical inflection point. Cryptocurrency is no longer a niche tool for cybercriminals operating in isolation — it has become integrated into the infrastructure of transnational organized crime, state-sponsored hacking operations, and industrialized fraud networks. Understanding these trends is essential for anyone navigating the digital asset space, whether managing a portfolio, developing regulatory frameworks, or building compliance systems. The implications extend well beyond the crypto industry, touching national security, consumer protection, and the integrity of the global financial system.

The report also introduces significant methodological improvements. For the first time, Chainalysis has incorporated its Signals intelligence platform into aggregate estimates, which leverages on-chain heuristics and behavioral patterns to identify suspected illicit addresses with varying confidence levels. This advancement means that historical figures are continuously revised upward as more illicit activity is uncovered — a pattern that makes the headline numbers even more striking when viewed through the lens of what has not yet been discovered. Our analysis of the Chainalysis Geography of Cryptocurrency report provides additional context on regional adoption patterns that intersect with these crime trends.

Illicit Crypto Volume Reaches Record Highs in 2024

The headline figure from the 2025 report is staggering: approximately $40.9 billion was received by known illicit cryptocurrency addresses in 2024. Yet even this number dramatically understates the true scope of crypto crime. Chainalysis acknowledges that these estimates represent a lower bound, based only on addresses already identified as illicit at the time of publication. Historical revision patterns show that annual estimates grow by an average of 25% between reporting periods as newly identified illicit addresses and their historical activity are incorporated into the dataset.

To illustrate this dynamic, consider the 2023 figures. When the previous Crypto Crime Report was published, the initial estimate for 2023 stood at $24.2 billion. Just one year later, that figure was revised to $46.1 billion — nearly double the original estimate. Much of this growth stemmed from the identification of vendors operating through platforms like Huione that provide laundering infrastructure for high-risk and illicit actors. Applying the same historical growth trajectory to the 2024 data, Chainalysis projects that actual illicit volumes for 2024 could surpass the $51 billion threshold.

Despite the record absolute volumes, the share of illicit activity relative to total on-chain transaction volume actually declined to 0.14%, down from 0.61% in 2023. This apparent paradox reflects the explosive growth of legitimate cryptocurrency adoption, which has expanded the overall transaction base far faster than criminal activity has grown. The International Monetary Fund’s research on digital asset markets corroborates this trend, noting that institutional adoption and regulatory clarity in major markets have driven substantial growth in legitimate on-chain volumes. However, Chainalysis cautions that this percentage will also rise over time as more illicit addresses are identified, though historically these rates have consistently remained below 1%.

It is also important to note what the Chainalysis methodology excludes. The estimates do not capture revenue from non-crypto-native crime — such as traditional drug trafficking where cryptocurrency is merely used as a payment mechanism — unless specific law enforcement intelligence confirms the illicit nature of specific transactions. Funds associated with extremist groups, unproven fraud allegations without court convictions, and suspected market manipulation are similarly excluded, meaning the true economic footprint of cryptocurrency-facilitated crime is substantially larger than any single report can capture.

Stablecoins Overtake Bitcoin in Crypto Crime Transactions

One of the most consequential shifts documented in the 2025 report is the dramatic migration of illicit activity from Bitcoin to stablecoins. Through 2021, Bitcoin was the unambiguous cryptocurrency of choice for cybercriminals, driven by its high liquidity and established infrastructure on darknet marketplaces. Since then, however, the data shows a steady diversification that has fundamentally altered the composition of illicit on-chain flows.

Stablecoins now account for 63% of all illicit cryptocurrency transaction volume, reflecting a broader ecosystem transformation in which stablecoin activity grew approximately 77% year-over-year. This shift is not merely a preference change among criminals — it mirrors the same utility-driven adoption trends seen in legitimate markets. As explored in the ESMA Joint Report on Crypto Assets and DeFi, stablecoins have become critical infrastructure for remittances, cross-border payments, international trade settlement, and value storage in markets with limited traditional banking access.

Sanctioned entities have been among the most aggressive adopters of stablecoins for illicit purposes. Individuals and organizations operating under sanctions regimes — particularly those in sanctioned jurisdictions — face severe restrictions on accessing the U.S. dollar through traditional financial channels. Stablecoins pegged to the dollar offer a practical workaround, providing the stability benefits of USD exposure without requiring access to the conventional banking system. This makes stablecoins a critical tool for sanctions evasion, even as issuers like Tether have taken steps to freeze addresses linked to scams, terrorist financing, and sanctions violations.

The Tether freezing mechanism represents an interesting counterforce. The company has proactively frozen addresses connected to various categories of illicit activity, which theoretically makes stablecoins a riskier choice for criminals compared to more decentralized assets. However, the sheer volume of stablecoin-based illicit activity suggests that the benefits of stability, liquidity, and USD equivalence continue to outweigh the freezing risk for most criminal operations. Meanwhile, certain crime categories remain Bitcoin-dominated: ransomware payments and darknet market transactions continue to flow primarily through BTC, while the privacy coin Monero has gained traction in the darknet ecosystem despite being excluded from the Chainalysis analysis.

Cryptocurrency Stolen Funds and Hacking Surge

Cryptocurrency theft saw a significant escalation in 2024, with total stolen funds increasing approximately 21% year-over-year to reach $2.2 billion. This growth came despite improved security practices across much of the industry, highlighting the persistent sophistication of threat actors targeting the cryptocurrency ecosystem. The distribution of attacks shifted notably between decentralized and centralized services throughout the year.

While DeFi protocols continued to account for the largest aggregate share of stolen funds, centralized services emerged as the primary targets during the second and third quarters of 2024. This shift suggests that attackers are increasingly identifying centralized exchanges and custodial platforms as high-value targets where single points of compromise can yield massive returns. The concentration of assets on these platforms, combined with the complexity of securing hot and cold wallet infrastructure, creates attractive opportunities for sophisticated adversaries.

Private key compromises represented the single largest attack vector, accounting for 43.8% of all stolen cryptocurrency in 2024. This finding underscores a fundamental security challenge: regardless of how robust a protocol’s smart contract logic may be, the security of the entire system often reduces to the protection of private keys held by a relatively small number of individuals or managed through operational security procedures. Social engineering, insider threats, and infrastructure compromise remain the most effective pathways to extracting private keys, and the data suggests these attack methods are becoming more prevalent and more successful.

The NIST guidelines on cryptographic key management provide foundational principles for protecting digital assets, yet implementation gaps persist across the industry. Multi-signature schemes, hardware security modules, and time-locked recovery mechanisms are widely available but inconsistently deployed, particularly among newer or fast-growing platforms where security investment may lag behind user acquisition.

North Korea Crypto Hacking Operations Escalate

Perhaps the most alarming finding in the 2025 report concerns the scale and sophistication of North Korean cryptocurrency theft operations. State-sponsored hackers from North Korea stole $1.34 billion from cryptocurrency platforms in 2024, representing a staggering 61% of all crypto funds stolen during the year. This makes North Korea by far the single largest source of cryptocurrency theft globally, operating what amounts to a state-run cybercrime apparatus designed to fund the regime’s weapons programs and circumvent international sanctions.

The tactics employed by North Korean actors have evolved significantly. Beyond traditional remote hacking operations, the report highlights the increasing use of North Korean IT workers who infiltrate cryptocurrency and Web3 companies by posing as legitimate employees. Once embedded within target organizations, these operatives leverage their insider access to compromise networks, extract private keys, and facilitate large-scale theft. The sophistication of their tactics, techniques, and procedures (TTPs) has reached a level that makes detection exceptionally difficult, with some operatives maintaining employment for months before executing their attacks.

This infiltration strategy represents a qualitative escalation in state-sponsored crypto crime. Traditional hacking operations rely on identifying and exploiting technical vulnerabilities from outside an organization’s perimeter. By contrast, the insider approach bypasses perimeter defenses entirely, granting attackers access to production systems, key management infrastructure, and internal communications that would otherwise be protected by multiple security layers. The IMF Crypto Assets and Emerging Risks Monitor has flagged the intersection of state-sponsored hacking and financial stability as a growing area of concern for global regulators.

The $1.34 billion figure also illustrates the disproportionate impact of a small number of highly capable threat actors. While thousands of individual hackers and criminal groups target cryptocurrency platforms worldwide, a single state-sponsored program accounts for the majority of total stolen value. This concentration of impact suggests that countermeasures specifically targeting North Korean operations — including enhanced employee vetting, behavioral monitoring for insider threats, and international intelligence sharing — could yield outsized improvements in overall cryptocurrency security.

Ransomware Cryptocurrency Attacks and Law Enforcement

Ransomware remained a significant component of the crypto crime landscape in 2024, generating revenues in the hundreds of millions of dollars. However, the ecosystem showed signs of meaningful disruption thanks to a combination of multinational law enforcement operations and a growing unwillingness among victims to pay ransom demands. These counterforces have not eliminated the ransomware threat, but they have meaningfully changed the economics of the criminal business model.

Several large-scale, multilateral law enforcement operations conducted throughout 2024 targeted ransomware infrastructure, payment processing networks, and the individuals behind major ransomware strains. These disruptions have had measurable effects on the ecosystem, forcing ransomware operators to rebuild infrastructure, recruit new affiliates, and adapt their operational security practices. The cumulative impact of sustained law enforcement pressure is reflected in the data: while attack volume remained relatively consistent, the average payment size decreased as more victims chose to resist ransom demands or successfully recovered from attacks using backup systems and decryption tools made available through law enforcement cooperation.

The declining willingness of victims to pay ransoms reflects several converging factors. Improved corporate cybersecurity preparedness, including better backup strategies and incident response planning, has reduced the leverage that ransomware operators hold over their victims. Additionally, regulatory guidance in multiple jurisdictions has discouraged or even prohibited ransom payments, particularly to sanctioned entities. The growing availability of free decryption tools — often developed through collaboration between security researchers and law enforcement agencies — has further undermined the ransomware value proposition. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains a comprehensive resource hub for ransomware prevention and response that has contributed to improved preparedness across both public and private sectors.

Despite these positive developments, ransomware remains a persistent and adaptive threat. Some groups have responded to declining payment rates by increasing their attack volume, targeting more victims to compensate for lower per-attack revenues. Others have escalated their extortion tactics, combining data encryption with threats to publish stolen information or to notify regulatory authorities of data breaches at victim organizations. The evolution of ransomware-as-a-service (RaaS) models has also lowered the barrier to entry for new operators, ensuring a steady pipeline of new groups entering the ecosystem even as established players are disrupted.

AI-Powered Crypto Fraud and Scam Trends

High-tech and low-tech fraud schemes continued to be prolific in 2024, with high-yield investment scams and pig butchering operations remaining the most financially successful fraud categories. However, the integration of artificial intelligence into fraud operations represents a qualitative transformation that is reshaping the threat landscape. AI-powered tools are enabling fraudsters to operate at unprecedented scale and with dramatically improved personalization, making scams harder to detect and more effective at extracting funds from victims.

One of the most concerning applications of AI in crypto fraud involves highly personalized sextortion attacks. These campaigns leverage AI-generated content and data aggregation to create convincing, targeted messages that include personal details about victims — such as photographs of their homes — to increase the perceived credibility of threats. The psychological impact of receiving a seemingly informed threat is substantially greater than that of a generic scam email, and the conversion rates for these personalized attacks are correspondingly higher.

Beyond sextortion, AI is being deployed to bypass know-your-customer (KYC) verification processes across cryptocurrency exchanges and financial platforms. Specialized services have emerged that use AI to generate realistic synthetic identity documents, fabricate video verification footage, and even conduct live KYC interviews using deepfake technology. These capabilities enable fraud operators to create seemingly legitimate accounts at scale, which are then used for money laundering, scam operations, and other illicit activities. The proliferation of such services represents a direct challenge to the identity verification infrastructure that underpins cryptocurrency compliance frameworks globally.

Pig butchering scams — long-term confidence schemes in which victims are gradually cultivated through romantic or professional relationships before being guided into fraudulent investment platforms — have also been enhanced by AI. Natural language processing tools enable operators to maintain convincing conversations with multiple victims simultaneously, while AI-driven sentiment analysis helps scammers identify the most promising targets and optimize their manipulation strategies. The Atlantic Council Global Foresight analysis examines how these technology-enabled financial crimes intersect with broader geopolitical risk patterns in the digital economy.

Crypto ATM scams have emerged as a growing concern, particularly as they relate to elder fraud. These schemes typically involve convincing victims — often elderly individuals with limited cryptocurrency experience — to deposit cash into crypto ATMs, with the funds immediately transferred to attacker-controlled wallets. The physical nature of these scams, combined with the irreversibility of cryptocurrency transactions, creates a particularly harmful dynamic for vulnerable populations.

Professionalization of the Crypto Crime Ecosystem

Perhaps the most structurally significant trend identified in the Chainalysis 2025 report is the accelerating professionalization of the crypto crime ecosystem. This transformation goes far beyond individual actors becoming more skilled — it represents the emergence of a criminal services industry complete with specialized vendors, marketplace infrastructure, customer support, and quality assurance mechanisms that mirror legitimate technology businesses.

The concept of “illicit-actor organizations” — Chainalysis’s term for wallets associated with services and individuals both directly committing cybercrime and facilitating it through infrastructure provision — accounted for $10.8 billion of the $40.9 billion in illicit cryptocurrency flows in 2024. This category encompasses a wide range of operational roles: hackers, extortionists, traffickers, and scam operators on the active side, along with laundering-as-a-service providers, technology vendors, and infrastructure operators on the facilitation side. The scale of the facilitation economy suggests that enabling crime has become at least as profitable as committing it directly.

Huione Guarantee stands as the paradigmatic example of this professionalization trend. Since 2021, Huione and the vendors operating on its platform have processed more than $70 billion in cryptocurrency transactions. The marketplace functions as a comprehensive criminal services platform, facilitating the sale of scam technology, processing transactions for pig butchering and other fraud operations, handling stolen funds, servicing sanctioned entities including Russia’s Garantex exchange, operating fraud shops, distributing child sexual abuse material, and connecting Chinese-language gambling operations. The breadth of criminal activity consolidated on a single platform is remarkable, creating what amounts to an illicit economy with its own marketplace dynamics, competitive pressures, and network effects.

This professionalization has significant implications for law enforcement and compliance efforts. When criminal operations were conducted by isolated actors using bespoke tools and ad-hoc laundering methods, each criminal operation represented a distinct investigation target. The consolidation of criminal infrastructure onto shared platforms creates both challenges and opportunities: while the scale of the problem has grown, the interconnectedness of the ecosystem means that disrupting key infrastructure nodes can have cascading effects across multiple crime categories. The McKinsey Global Institute’s analysis of technology-driven economic disruption explores parallel dynamics in how infrastructure consolidation affects both legitimate and illicit digital economies.

Transnational organized crime groups have been among the primary beneficiaries of this professionalized ecosystem. Groups traditionally associated with drug trafficking, human trafficking, wildlife trafficking, and other physical-world crimes are increasingly incorporating cryptocurrency into their operations — not merely as a payment method, but as a core component of their financial infrastructure. The concept of “polycrime,” where criminal organizations simultaneously engage in multiple crime types facilitated by shared cryptocurrency infrastructure, is becoming the norm rather than the exception.

Darknet Markets and Fraud Shop Disruptions

Darknet markets received approximately $2 billion in cryptocurrency in 2024, a modest decline from the $2.3 billion recorded in 2023. This category continues to represent a significant component of the illicit crypto economy, encompassing platforms that facilitate the sale of illegal drugs, stolen data, counterfeit documents, hacking tools, and other contraband. The relative stability of darknet market volumes, despite ongoing law enforcement pressure, reflects the resilient and adaptive nature of these platforms, which frequently reconstitute under new identities following takedowns.

Fraud shops, by contrast, experienced a dramatic decline, with volumes falling by more than half to $220.1 million. This steep reduction was driven in large part by a major U.S.-Dutch joint law enforcement operation that targeted the Universal Anonymous Payment System (UAPS), a cryptocurrency payment processor that served as critical financial infrastructure for hundreds of fraud shops. UAPS facilitated transactions for notorious operations including Brian Dumps and Faceless, and its takedown severed the payment pipelines that these shops relied upon to process customer purchases and vendor payouts.

The UAPS takedown illustrates the effectiveness of targeting financial infrastructure rather than individual criminal operations. By disrupting the shared payment processing layer that served hundreds of fraud shops simultaneously, law enforcement achieved a multiplier effect that would have been impossible through sequential investigations of individual shops. This approach mirrors the broader strategy of identifying and disrupting key nodes in the increasingly interconnected crypto crime ecosystem — a strategy that the professionalization trend, paradoxically, makes more feasible by concentrating criminal infrastructure into identifiable platforms.

Despite the fraud shop disruption, the darknet ecosystem remains resilient. New marketplaces continue to emerge to replace those that are shut down, and the underlying demand for the products and services traded on these platforms shows no sign of diminishing. The increasing use of privacy-enhancing technologies, including Monero and decentralized marketplace protocols, adds complexity to law enforcement efforts, though these technologies represent a relatively small share of the overall illicit transaction volume. The long-term trajectory of darknet markets will likely depend on the pace at which law enforcement capabilities evolve relative to the privacy tools adopted by criminal operators.

Implications for Crypto Investors and Blockchain Security

The findings of the Chainalysis 2025 Crypto Crime Report carry profound implications for cryptocurrency investors, financial institutions, and the broader blockchain ecosystem. While the 0.14% illicit activity rate may seem reassuringly small, the absolute volumes — potentially exceeding $51 billion — represent a material risk factor that affects market integrity, regulatory trajectories, and the reputation of the digital asset industry.

For individual investors, the report underscores the importance of platform selection, security hygiene, and awareness of evolving fraud tactics. The prevalence of private key compromises as the leading attack vector highlights the critical importance of self-custody best practices, including the use of hardware wallets, multi-signature arrangements, and careful verification of all transaction details before signing. The rise of AI-powered scams means that traditional red flags — poor grammar, generic messaging, obvious urgency — are becoming less reliable indicators of fraud, requiring more sophisticated evaluation criteria.

For institutional participants and compliance professionals, the report signals that cryptocurrency compliance frameworks need continuous evolution. The shift toward stablecoins for illicit transactions, the sophistication of AI-powered KYC bypass tools, and the consolidation of criminal infrastructure onto professional platforms all suggest that static compliance rules will be increasingly insufficient. Real-time on-chain monitoring, behavioral analytics, and cross-platform intelligence sharing are becoming essential components of effective compliance programs.

The regulatory implications are equally significant. The data presented by Chainalysis provides ammunition for both pro-regulation and pro-innovation arguments. On one hand, the scale of illicit activity supports the case for stronger regulatory oversight, enhanced reporting requirements, and stricter licensing standards for cryptocurrency businesses. On the other hand, the declining percentage of illicit transactions relative to total volume, combined with the demonstrable effectiveness of blockchain analytics in supporting law enforcement, supports the argument that the inherent transparency of public blockchains provides better surveillance capabilities than the traditional financial system. The Financial Action Task Force (FATF) guidance on virtual assets continues to shape regulatory approaches globally, and the Chainalysis data will undoubtedly inform future iterations of these frameworks.

Looking ahead, the trends identified in the 2025 report suggest that the crypto crime landscape will continue to evolve rapidly. The professionalization of criminal infrastructure, the integration of AI into fraud operations, and the persistent sophistication of state-sponsored actors all point toward a threat environment that will require equally sophisticated and well-resourced defensive capabilities. The most encouraging takeaway, however, is that the transparency of blockchain technology — the very feature that makes cryptocurrency attractive for legitimate use — also provides the analytical foundation for understanding, tracking, and ultimately disrupting illicit activity at a level of granularity that is simply impossible in the traditional financial system.