The New Dark Side of Flows: Why Stablecoins Are Now Crime’s Favorite Playground
Illicit crypto activity just hit a record high, and the headline stat is brutal: about $154 billion flowed into illicit crypto addresses in 2025, up 162% year-over-year, with stablecoins dominating roughly 84% of that illicit transaction volume.[2][3] Stablecoins weren’t just part of the story - they were the story.
If you care about where real size is moving on-chain, how regulators will react, and what this means for stablecoin yields, liquidity, and risk premia across the market… this is the kind of shift you can’t ignore.
Key Takeaways - The Stuff You Can’t Unsee
Subscribe to our Social Media for Exclusive Crypto News and Insights 24/7!
- Illicit crypto volume hit ~$154B in 2025, a 162% YoY jump, driven heavily by sanctioned entities and state-linked actors.[1][2][3]
- Stablecoins now account for ~84% of all illicit flows, firmly replacing BTC as crime’s main settlement rail.[2][3]
- Sanctioned entities drove a 694% surge in inflows, turning on-chain crime into a geopolitical and compliance problem, not just a “scammy DeFi” problem.[1][2][3]
- North Korea-linked hackers stole ~$2B in 2025, including the $1.5B Bybit mega-hack, the largest crypto heist ever.[1][4][5]
- Russia’s ruble-backed A7A5 token moved over $93.3B in under a year, showcasing state-level, tokenized sanctions evasion at scale.[1][3]
- Despite the record, illicit activity remains under 1% of total crypto volume, but it’s increasingly concentrated, professionalized, and harder to detect.[3][5][6]
Stablecoins: From “Safe Side of Crypto” to the Core Rail of Illicit Flows
For years, the narrative was: “Stablecoins are the safe, boring part of crypto.” Now? They’re the primary rail for illicit value transfer, accounting for around 84% of illegal trading volume in 2025.[2][3]
Why do bad actors love stablecoins so much? The same reasons legit players do:
- Price stability - No one wants their ransom or sanctions-evading funds down 30% overnight.
- Deep liquidity - USDT, USDC, and other majors trade across CEXs, DEXs, and OTC desks with tight spreads.
- Interoperability - They sit at the center of DeFi, centralized venues, cross-chain bridges, and payment rails.
According to the Chainalysis-based reporting summarized by Phemex and Bitcoin Magazine, stablecoins have become the “default transactional layer” for everything from sanctions evasion to fraud, hacks, and laundering operations.[1][2][3] It’s not that BTC and ETH disappeared from the picture - they’re just increasingly the on-ramp or reserve asset, while stablecoins are the pipes.
One analyst quoted in the coverage compared it to traditional finance: “You don’t settle professional money laundering in volatile penny stocks - you use dollars and bank wires. In crypto, stablecoins are the wires.”[2][3]
The $154 Billion Spike: What Actually Drove the Record
Let’s unpack that $154B number.[1][2][3]
- Total illicit inflows in 2025: At least $154B to addresses tied to crime categories like scams, hacks, ransomware, darknet markets, and sanctions evasion.[1][2][3]
- YoY growth: +162% versus 2024.[1][2][3]
- Sanctioned entities: Their inflows increased by a massive 694%, essentially supercharging the overall jump in illicit volume.[1][2][3]
The important nuance: Chainalysis and downstream analyses emphasize that this is a lower-bound estimate because it only includes addresses already identified as illicit.[1][3] More crime gets reclassified over time, meaning historical numbers get revised up.
Even more interesting for investors: illicit activity still makes up less than 1% of total crypto volume.[3][5][6] So no, the ecosystem isn’t “overrun by crime” - but crime is getting bigger, more organized, and more strategic.
Think of it like volatility clusters: the average might be low, but pockets of extreme concentration matter far more than the headline.
Nation-States Enter the Chat: Russia’s A7A5 and DPRK’s Mega-Hacks
The story of 2025’s crypto crime isn’t just “random scammers.” It’s states and structured organizations.
Russia’s A7A5 - A Live Case Study in Tokenized Sanctions Evasion
Russia launched a ruble‑backed A7A5 token, which, according to Chainalysis data cited by Bitcoin Magazine, processed over $93.3 billion in volume within its first year.[1][3]
The angle here isn’t meme tokens. It’s macro:
- This token infrastructure is explicitly tied to sanctions evasion, leveraging crypto rails for cross-border payments outside the traditional banking system.[1][3]
- It demonstrates how state-backed assets can still piggyback on the same stablecoin-like mechanics - high turnover, on-chain settlement, and near-instant global reach.
One expert interviewed in the coverage described it as “the clearest real-world example yet of a nation experimenting with a parallel, blockchain-based sanctions-resistant rail.”[3]
North Korea: Still the Apex Predator of On-Chain Theft
On the hacking side, DPRK-linked groups had their most destructive year yet:
- ~$2B stolen in 2025 alone, according to Chainalysis estimates.[1][4][5]
- The standout event: the Bybit exploit, roughly $1.5B drained, mostly in ETH, in what’s now called the largest digital heist in crypto history.[1][4][5]
WTW and CoinLedger both highlight that hacks of this scale are changing the risk profile of centralized platforms and custodians.[4][5] In H1 2025 alone, $3B in digital assets were stolen across 119 verified hacking events, with half that value coming from Bybit.[4]
Imagine being on that exchange’s risk or treasury desk into that weekend. One risk consultant quoted by WTW put it bluntly: “The window to respond is shrinking. By the time you see the outflow, cross-chain swaps have already obscured a huge chunk of the trail.”[4][6]
Cross-Chain Laundering and Professionalized Crime
The “spray-and-pray” days of amateur hackers are basically over. Across several reports, a consistent pattern emerges:
- Cross-chain laundering is accelerating, with an estimated $21.8B in illicit and high-risk crypto moved via cross-chain methods in 2025.[6]
- Criminals use bridges, DEXs, and swap services to route funds across chains, obfuscating trails faster than legacy AML infrastructure can react.[6]
- The crime stack has become “professional infrastructure”, with services dedicated to mixing, arbitrage, account rental, and mule networks.[1][2][6]
Silent Eight notes that only around 40 jurisdictions are considered “largely compliant” with FATF AML standards for crypto as of mid-2025.[6] That’s a small compliance island in a big liquidity ocean.
Pair that with stablecoin rails and you get a new kind of laundering loop:
- Stolen or illicit BTC/ETH/SOL, etc.
- Swapped into major stablecoins across DEXs.
- Routed through bridges and cross-chain protocols.
- Landed on high-liquidity centralized venues or OTC desks for off-ramp, often in friendlier jurisdictions.
The vibe from multiple reports is clear: the criminals are acting more and more like cross-border liquidity managers, not just opportunistic hackers.[1][2][4][6]
“Under 1% of Volume” - Why That Number Still Matters
Several sources stress a critical nuance: even with $154B in illicit flows, illegal activity remains under 1% of total crypto transaction volume.[3][5][6]
That’s important context for:
- Narrative risk - It counters the blanket claim that “crypto is mostly for crime.”
- Regulatory calibration - The industry can reasonably argue for proportionate rules.
But the distribution of that crime is what matters:
- It’s heavily concentrated in specific stablecoins, specific jurisdictions, and specific protocols or bridges.
- It’s increasingly entangled with national security (sanctions, DPRK, Russia) rather than just consumer scams.
A phrase that appears in different forms across the analysis: crypto crime is “small in share, huge in consequence.”[1][3][6]
Market Mechanics: How These Flows Interact With the Broader Cycle
Let’s connect this to how you probably look at markets: dominance, flows, and cycles. Even though the sources don’t break down ADX readings or liquidation heatmaps, you can infer some structural mechanics from the data they do give.
1. Stablecoin Dominance as a Liquidity Signal
If you track stablecoin dominance (share of total crypto market cap or volume in stables), this surge in illicit stablecoin flows adds a new layer.
- When stablecoin inflows spike, not all of that is “sideline capital” waiting to buy dips. A chunk is illicit money rotating through the system, especially during periods of heightened nation-state or hacks-related activity.[1][2][3][6]
- So a rising stablecoin market cap might signal:
- Fresh speculative capital
- Institutions parking capital
- Or criminals and sanctioned entities using the same rails
In other words, that stablecoin wall you see on-chain isn’t just “dry powder.” Some of it is radioactive.
2. Volatility and Liquidation Cascades
The reports focus on crime, but hacks like Bybit’s $1.5B drain and massive state-linked flows often coincide with or amplify market stress.[1][4][5]
Mechanically, what tends to happen around mega-hacks:
- Exploiters dump a portion of funds or start hedging via derivatives.
- That creates localized order book imbalances or paper short pressure, depending on how they manage risk.
- In thin weekend liquidity, that can trigger cascading liquidations on perp venues, especially in the affected asset (here, ETH) and correlated majors.
CoinLedger’s longitudinal data on hacks shows that each cycle’s biggest hacks coincided with elevated volatility spikes, particularly in 2022 and 2025.[5] One researcher summarizing those stats notes that “large theft events rarely happen in isolation - they’re embedded in periods of systemic stress or speculative excess.”[5]
You’ve seen a version of this before: big hack, panicky selling, overlevered long traders getting nuked, then opportunistic buying by better capitalized players. The whales ain’t sleeping, fam. They’re rotating.
3. Dominance Cycles and Regulatory Headlines
As stablecoins become the core illicit rail, you can expect:
- Regulatory headlines targeting stablecoin issuers, offshore venues, and bridges.
- De-risking events, where certain stablecoins temporarily trade below peg on specific venues after enforcement news or blacklist expansions.
Even though the reports don’t reference specific ADX or dominance charts, they strongly imply a dynamic where regulatory cycles and enforcement shocks will increasingly correlate with:
- Short-term risk-off in specific stables
- Hedging flows into BTC/ETH
- Rotation into “cleaner” or better-regulated venues and assets
Honestly, that kind of move can catch everyone off guard - especially if you’re levered up on a stablecoin pair that suddenly gets hit with a surprise enforcement headline.
Human Side: Hacks, Physical Threats, and Personal Risk
One of the more unsettling threads from WTW’s analysis is how crime is moving from screens to streets.[4]
For 2025:
- There were 119 verified hacking events in just the first half, with about $3B stolen.[4]
- WTW also notes a rise in kidnap and ransom (K&R) incidents targeting senior crypto figures across Asia, Europe, and North America.[4]
So while we talk about “flows” and “addresses,” there are real people on the other side: founders, OTC desk operators, fund managers.
A risk consultant in the report describes cases where criminals, frustrated by tighter exchange controls, “simply pivoted to physical coercion of high-net-worth wallet holders.”[4]
Imagine holding it together emotionally after watching your on-chain portfolio get drained - then realizing the next layer of risk is offline. It gives new meaning to “self-custody isn’t for everyone.”
Is Crypto Getting Safer or More Dangerous? Both.
CoinLedger’s crime stats offer an interesting contrast:
- Share of illicit transactions peaked in 2023 at around 0.61%, more than double 2022.[5]
- In 2024, that share dropped sharply to 0.14%, the lowest in four years.[5]
So on a percentage basis, things looked better in 2024 - and meanwhile, 2025 sees an absolute surge to $154B in illicit flows, heavily driven by sanctioned actors.[1][2][3][5]
The takeaway for a savvy investor:
- Per unit of volume, crypto may be getting more compliant and better policed.
- But the remaining illicit activity is bigger, wealthier, more sophisticated, and more entangled with geopolitical risk.
That’s not unlike traditional finance. Most USD flows are clean; the dirty ones are just disproportionately impactful.
What This Means If You’re Allocating Capital
You’re probably not running a darknet market. So why should you care?
Because these flows influence:
- Regulatory risk around stablecoins, bridges, and DeFi protocols.
- Counterparty risk on exchanges and custodians targeted by large hacks.
- Jurisdictional risk if your operations or banking rails touch higher-risk regions.
A few practical angles implied across the research:
- Treat stablecoin risk as more than just “peg risk.” There’s compliance and blacklist risk, especially as analytics firms and regulators get better at flagging tainted flows.[1][2][3][6]
- For funds and treasuries, venue selection matters. Some exchanges and custodians are more proactive in partnering with Chainalysis/TRM-type analytics than others.[1][6][7]
- Don’t ignore physical security and operational risk if your portfolio or business is large enough. WTW’s data makes it clear: high-profile crypto wealth now attracts off-chain threats.[4]
As one analyst put it, “The arms race isn’t traders versus each other anymore. It’s criminals versus compliance teams, and everyone else is just trading on the rail they’re fighting over.”[1][2][6]
Where This Likely Goes Next
Based on the trajectory described across Chainalysis, WTW, Silent Eight, and CoinLedger:
- Expect tighter global AML enforcement on stablecoins and cross-chain infrastructure.[1][2][3][6]
- Look for more explicit integration of blockchain analytics into bank and VASP supervision, especially under MiCA in Europe and FATF standards globally.[6]
- Prepare for high-profile enforcement headlines tied to state-linked activity (Russia, DPRK) and stablecoin providers that don’t maintain robust controls.[1][3][6][7]
You’ve seen this pattern before in other assets: first the wild west, then recognition, then regulation, then selective crackdowns, then a more institutional environment. Crypto’s just doing it faster - and this time, stablecoins are at the eye of the storm.
So next time you’re watching stablecoin inflows and thinking “sidelines gearing up,” just remember: not all that USDT is here for the same reason you are.
illicit crypto activity
stablecoins dominate flows
crypto crime record high
- https://www.chainalysis.com/blog/2026-crypto-crime-report-introduction/
- https://phemex.com/news/article/chainalysis-report-reveals-surge-in-illicit-crypto-activity-in-2025-52191
- https://bitcoinmagazine.com/news/crypto-crime-soared-to-154-billion-in-2025
- https://www.wtwco.com/en-ca/insights/2025/09/why-h1-2025-s-crypto-crime-trends-change-the-risk-equation
- https://coinledger.io/research/crypto-crime-report
- https://www.silenteight.com/blog/2025-trends-in-aml-and-financial-crime-compliance-as-we-enter-q4
- https://www.trmlabs.com/resources/blog/2025-trm-wrapped
