TL;DR
- Chainalysis recorded at least $154 billion received by illicit cryptocurrency addresses in 2025, a 162% year-over-year increase, although the figure is considered a lower-bound estimate.
- Stablecoins accounted for 84% of the total volume, driven by cross-border payments, low volatility, and widespread use by state-linked and criminal networks.
- North Korea stole close to $2 billion, Russia moved $93.3 billion through A7A5, and Iran channeled more than $2 billion.
Chainalysis reported that illicit cryptocurrency addresses received at least $154 billion during 2025. The figure represents a 162% year-over-year increase compared with the $57.2 billion recorded in 2024. The report clarifies that this number functions as a minimum estimate and may increase as additional addresses are identified and historical data is incorporated.
The growth was driven by activity linked to sanctioned entities, which rose 694% from the previous year. Despite that increase, the share of illicit transactions relative to total crypto market volume remained below 1%. Chainalysis excluded non-crypto-native crimes when available data could not distinguish illicit payments from legitimate activity.
Stablecoins accounted for 84% of the total illicit transaction volume in 2025. The report notes that these assets were favored by criminal actors due to their low volatility and the ease of executing cross-border transfers. This trend mirrors the broader role of stablecoins across the crypto ecosystem.
North Korea Leads State-Linked Crypto Cybercrime
Among state actors, North Korea led fund theft activity, with at least $2 billion stolen during the year. The largest incident was the February Bybit exploit, which totaled close to $1.5 billion and was identified as the largest theft in the history of the crypto industry. The report attributed this outcome to increasingly complex and coordinated operations.
Russia emerged as another central case through the ruble-backed A7A5 stablecoin. The token processed more than $93.3 billion in transactions in less than one year following its launch in February 2025. The network behind A7A5 was sanctioned by the U.S. Office of Foreign Assets Control in August and by the European Union in October, under allegations of facilitating cross-border payments for sanctions evasion.
Chainalysis Exposes Money Laundering by Iran, Russia, and China
The report also detailed activity by Iran-aligned networks, which channeled more than $2 billion for money laundering, illicit oil sales, and arms procurement. Wallets linked to Hezbollah, Hamas, and the Houthis were identified operating at a scale exceeding levels observed in previous years.
Chainalysis also identified Chinese money laundering networks as some of the most dominant providers of criminal infrastructure. These structures offer integrated services including hosting, domain registration, exchange access, and fund laundering. The same infrastructure also supports ransomware campaigns, scams, hacks, and state-linked operations.
Finally, Chainalysis documented a growing connection between onchain crime and physical violence. Cases ranged from human trafficking to coercive attacks aimed at forcing asset transfers
