Criminal actors netted $158 billion in digital assets last year, marking a surge in the value of illicit activity after years of decline, according to a report published by TRM Labs that analyzes data from 2025.
However, the increase in the total still represents a continued decline in the percentage of overall crypto activity linked to bad actors (1.2% of volume), according to the report released Wednesday, and the bad guys behind it are increasingly professional state-backed operations backed by sophisticated infrastructure.
“We saw approximately $4 trillion in stablecoin activity in 2025, indicating how quickly the legal ecosystem is growing,” said Ari Redbord, global head of policy at TRM. “Even with that growth, illicit activity still represents only about 1.2% of total volume. That said, that 1.2% is existential and pretty much everything I think about: ransomware attacks on hospitals, seniors losing their life savings to scams, and state actors like North Korea using cryptocurrency to fund weapons programs.”
The report comes as the use of cryptocurrencies for illicit finance is a central point being debated by US lawmakers working on cryptocurrency market structure legislation. Democrats have insisted on stronger protections against crime than were present in earlier drafts of the bill being considered in two Senate committees. So far, the two parties have been unable to come up with a version that satisfies both, despite a hearing still scheduled for Thursday in the Senate Agriculture Committee. If that hearing takes place, illicit finances will continue to be in the spotlight.
A huge surge in sanctions-linked crypto activity was “overwhelmingly driven by Russia-linked flows,” according to TRM, which said $72 billion ran through the A7A5 ruble-backed stablecoin and that the wallet group known as A7 could be connected to more than $39 billion in Russian sanctions evasion.
“While Russia-linked networks largely drove sanctions-related cryptocurrency volume, the most important change was the institutionalization of cryptocurrency lanes by other sanctioned actors,” the report notes, citing activity in Venezuela and China.
As for cryptocurrency hacking, those incidents generated almost $3 billion in 2025, which was more than the previous year, although about half of that was due to the single February attack on Bybit. While attacks and exploits totaled 150 thefts during the year, the damage was largely due to a handful of larger incidents.
“Sophisticated actors, particularly those linked to North Korea (DPRK), are no longer just exploiting code: they are compromising the operational foundations of cryptoasset services and the ecosystems around them,” the report says. Attacks on infrastructure caused the majority of losses.
North Korean hacking operations are using “Chinese laundries” to pass stolen assets into the hands of outsourced launderers who use chain hopping and fragmentation to complicate tracking, according to TRM. “This professionalization complicates recovery, as the faster stolen assets can be routed through layered intermediaries, the narrower the interdiction window will be,” the report says.
