Criminal actors seized $158 billion in digital assets last year, marking a sudden increase in the value of illicit activity after years of decline, according to a report published by TRM Labs analyzing 2025 data.
However, the increase in total still represents a continued decline in the percentage of overall crypto activity tied to bad actors (1.2% of volume), the report released Wednesday said, and the bad guys behind this phenomenon are increasingly professional state-backed operations backed by sophisticated infrastructure.
“We saw around four trillion dollars of stablecoin activity in 2025, which indicates how quickly the legal ecosystem is growing,” said Ari Redbord, TRM’s global head of policy. “Even with this growth, illicit activity still only made up about 1.2% of the total volume. That said, that 1.2% is existential and that’s about all I can think about: ransomware attacks on hospitals, elderly people losing their savings to scams, and state actors like North Korea using crypto to fund weapons programs.”
The report comes as the illicit financial use of crypto is a focal point debated by US lawmakers working on crypto market structure legislation. Democrats insisted on tougher crime protections than were present in previous versions of the bill considered by two Senate committees. So far, the two parties have not been able to agree on a version that satisfies them both, despite a hearing still scheduled for Thursday in the Senate Agriculture Committee. If this hearing takes place, illicit financing will remain at the forefront.
A surge in sanctions-related crypto activity was “largely driven by Russia-related flows,” according to TRM, which said $72 billion was managed through the ruble-backed stablecoin A7A5 and the wallet cluster known as A7 could be connected to more than $39 billion in Russian sanctions evasion.
“While Russia-linked networks have largely driven sanctions-related crypto volume, the most consequential change has been the institutionalization of crypto rails by other sanctioned actors,” the report notes, citing activity in Venezuela and China.
When it comes to crypto hacking, these incidents brought in nearly $3 billion in 2025, a higher amount than the previous year, although about half of that was due to the February attack on Bybit alone. While hacks and exploits totaled 150 thefts for the year, the damage was largely blamed on a handful of larger incidents.
“Sophisticated actors, particularly those linked to North Korea (DPRK), are no longer just exploiting code: they are compromising the operational foundations of crypto asset services and the ecosystems around them,” the report said. Attacks on infrastructure caused most of the losses.
North Korean hacking operations use “Chinese laundromats” to pass stolen assets into the hands of contract launderers who use channel hopping and fragmentation to complicate tracking, according to TRM. “This professionalization complicates recovery, because the quicker stolen assets can be routed through multi-tiered intermediaries, the narrower the interdiction window,” the report said.
