The Professionalized Underground: Chainalysis Reveals $154B in Illicit Crypto Flows

By 2025, the subterranean cryptocurrency landscape had decisively transcended its origins as a chaotic bazaar of dubious schemes, coalescing into a sophisticated ecosystem defined by established hierarchies and streamlined services. According to the latest comprehensive analysis by Chainalysis, sovereign states are increasingly co-opting existing criminal blockchain infrastructures to circumvent international restrictions and sanctions, eschewing the need to develop proprietary mechanisms from the ground up.

Throughout the year, addresses linked to illicit activities received an estimated $154 billion in digital assets—a staggering 1.5-fold increase over the revised 2024 estimates. Chainalysis attributes this dramatic surge primarily to the maneuvers of sanctioned entities, a category encompassing both state-orchestrated evasion tactics and the specialized intermediaries that facilitate them.

Analysts concede that these figures are almost certainly conservative. As new addresses are unmasked and historical transactions re-evaluated, the portrait of illicit finance inevitably evolves. This is exemplified by the retroactively adjusted 2024 data: initially estimated at $40.9 billion, the figure was revised to $57.2 billion following refined methodologies and additional data integration. A significant portion of this volume is driven by “service-provider” criminal entities that do not engage in direct assaults but rather lease infrastructure and laundering expertise to other market participants.

Despite these imposing sums, the proportion of illicit activity relative to total cryptocurrency turnover remains below one percent. Analysts further clarify that their calculations exclude proceeds from conventional crimes where digital assets serve merely as a medium of exchange; in such instances, on-chain transfers remain virtually indistinguishable from legitimate commerce.

In 2025, the primary conduits of illicit flow converged around several key nodes: North Korea, Russia, Iranian-linked networks, and Chinese syndicates specializing in the art of financial obfuscation. These actors collectively define the contemporary threat landscape.

North Korean hacking collectives achieved their most lucrative year to date, exfiltrating approximately $2 billion. The lion’s share of this haul originated from the breach of Bybit, which, with losses nearing $1.5 billion, stands as the most significant digital heist in the history of the crypto market.

The Russian facet of on-chain activity is largely anchored to the A7A5 stablecoin, pegged to the ruble. Despite intensifying regulatory scrutiny, it processed over $93.3 billion within its inaugural year. In August, the network behind A7A5 was sanctioned by the U.S. Office of Foreign Assets Control (OFAC), which explicitly identified the token as a tool for cross-border settlements designed to bypass sanctions. By October, the European Union mirrored these measures, designating A7A5 as a primary instrument for financing war-related activities.

A distinct stratum of the report details Chinese money-laundering networks, which operate on a service-based model. Their arsenal is comprehensive, offering infrastructure for fraudsters, processing proceeds from cyber-heists, and supporting sanctions evasion. Essentially, they serve as universal vendors for every conceivable on-chain transgression.

Iranian proxy groups also markedly expanded their footprint. Chainalysis estimates that over $2 billion flowed through affiliated addresses, fueling money laundering, illicit petroleum trade, and arms procurement. The report identifies organizations such as Hezbollah, Hamas, and the Houthis, noting that in 2025, they utilized cryptocurrencies on a scale previously unseen.

Stablecoins have emerged as the quintessential instrument for illicit operations, accounting for 84 percent of all subterranean turnover during the year. Their utility is pragmatic: they facilitate seamless international transfers and are shielded from the volatility of traditional cryptocurrencies, thereby minimizing risk for large-scale maneuvers.

Furthermore, the rise of “full-cycle” providers marks a pivotal trend. An increasing number of illicit schemes rely on the same clandestine services providing hosting, domains, exchange access, and laundering tools engineered to withstand constant law enforcement pressure. These platforms are shared by ransomware actors, fraudsters, and state-affiliated entities alike.

In its concluding remarks, Chainalysis highlights a harrowing convergence of digital crime and physical coercion. This involves instances of human trafficking and direct intimidation, where victims are forced to transfer crypto-assets. Such attacks frequently coincide with periods of heightened market activity, when the movement of funds is most difficult to monitor and intercept.