Criminal actors seized $158 billion in digital assets last year, marking a sudden increase in the value of illicit activity after years of decline, according to a report released by TRM Labs analyzing 2025 data.
However, the increase in the total still represents a sustained decline in the percentage of total crypto activity linked to bad actors (1.2% of volume), said the report published on Wednesday, and the evil masterminds are increasingly professional state-backed operations backed by sophisticated infrastructure.
“We saw about four trillion dollars in stablecoin activity by 2025, which tells you how fast the legal ecosystem is growing,” said Ari Redbord, global policy director for TRM. “Even with that growth, illegal activity still only made up about 1.2% of the total volume. That said, the 1.2% is existential and pretty much everything I think about – ransomware attacks on hospitals, seniors losing life savings to fraud, and state actors like North Korea using crypto to fund weapons programs.”
The report lands as illegal financial use of crypto is a key point being debated by US lawmakers working on crypto market structure legislation. Democrats have insisted on tougher anti-crime shields than were present in earlier drafts of the bill, which is being considered in two Senate committees. So far, the two parties have been unable to agree on a version that satisfies both, despite a hearing still set for Thursday in the Senate Agriculture Committee. If that hearing takes place, illicit financing will remain front and center.
A large increase in sanctions-related crypto activity was “overwhelmingly driven by Russia-related flows,” according to TRM, which said $72 billion was run through the ruble-backed stablecoin A7A5, and that the wallet’s cluster known as A7 could be linked to more than $39 billion in Russian sanctions evasion.
“While Russia-linked networks largely drove sanctions-related crypto volume, the more consequential shift was the institutionalization of crypto rails by other sanctioned actors,” the report noted, citing activity in Venezuela and China.
In terms of cryptohacking, these incidents came out to nearly $3 billion in 2025, which was a higher dollar amount than the previous year, although about half of that was due to the single attack in February on Bybit. While hacks and exploits accounted for 150 thefts during the year, the damage was heavily weighted to a handful of major incidents.
“Sophisticated actors, particularly those linked to North Korea (DPRK), are no longer just exploiting code — they are compromising the operational foundations of cryptoasset services and the ecosystems around them,” the report said. Infrastructure attacks resulted in most casualties.
North Korean hacking operations use “Chinese laundries” to pass stolen assets into the hands of subcontracted launderers who use chain-hopping and fragmentation to complicate tracking, according to TRM. “This professionalization complicates recovery, as the faster stolen assets can be routed through layered intermediaries, the narrower the window for interdiction,” the report said.
