Sanctioned states moved $154B in illicit crypto in 2025

Illicit cryptocurrency activity reached an estimated $154 billion in 2025, driven by a 694% year-over-year surge in flows to sanctioned entities. Of the total, $104 billion went to addresses tied to sanctions, according to new blockchain analysis of on-chain activity.

The report links the increase to nation-states using crypto for trade settlement, reserve diversification, procurement and cyber operations. It also highlights stepped-up enforcement efforts against services and infrastructure used for sanctions evasion and laundering.

Russia’s ruble-pegged A7A5 token emerged as a key settlement rail. The token processed $93.3 billion in transactions in roughly 10 months in 2025. Affiliated exchange Grinex handled at least $4.76 billion, while another exchange, Meer, processed at least $305 million. Volumes were higher on weekdays than on weekends. Kyrgyzstani issuer Old Vector was designated by Western authorities.

After law enforcement disrupted the sanctioned exchange Garantex in March 2025, on-chain data showed transfers of funds and newly minted A7A5 from Garantex wallets to Grinex via Old Vector. Researchers also identified an A7A5 “Instant Swapper” service with minimal or no customer checks that converted A7A5 into major dollar stablecoins; more than $2.2 billion moved through that channel.

In Iran, addresses associated with the Islamic Revolutionary Guard Corps and its facilitation networks accounted for more than half of the value received by Iranian services in the fourth quarter of 2025, totaling over $3 billion across the year. Overall activity in the Iranian crypto ecosystem reached about $7.78 billion in 2025 across dozens of domestic platforms. In late 2025, leaked documents posted online purported to show Central Bank of Iran wallet addresses and the use of a broker to convert fiat deposits into stablecoins. Tracing indicated that funds moved through cross-chain bridges and decentralized finance protocols before returning to Iranian services and IRGC-linked entities. In June 2025, hackers stole over $90 million from Nobitex, Iran’s largest exchange; the platform later rebuilt reserves.

North Korea-linked groups stole more than $2 billion in cryptocurrency in 2025, a new annual high attributed to the country. The report states these funds ultimately support government programs and notes continued use of overseas IT workers to raise additional revenue.

In Venezuela, estimated crypto transaction flows reached $44.6 billion in 2025 as citizens used global exchanges and peer-to-peer channels during periods of high inflation and weak confidence in local banking. Government efforts to formalize the sector through the SUNACRIP regulator and state-run exchanges, including the Petro token, drew limited activity in the tens of millions before closures. Analysts also observed informal over-the-counter brokers enabling swaps from bolivars at sanctioned banks and showing links to Chinese-language money laundering networks and the Huione Group.

Regulatory actions intensified across Southeast Asia’s scam and laundering networks. In October 2025, the U.S. Treasury’s Financial Crimes Enforcement Network named Huione Group a primary money laundering concern under Section 311, citing more than $98 billion in crypto inflows from August 2021 to January 2025, including over $4 billion tied to confirmed illicit activity. Authorities in multiple jurisdictions also sanctioned the Prince Group and its chairman Chen Zhi for facilitating crypto scams, mining, laundering and forced labor at scam compounds. U.S. officials seized over $15 billion linked to Chen Zhi, and on-chain activity showed attempts to move remaining funds after designation. OFAC designated Jin Bei, a guarantee platform similar to Huione, and the U.K.’s OFSI sanctioned Byex, an exchange linked to Prince Group.

Western authorities widened their focus to infrastructure supporting illicit on-chain activity. Sanctions targeted bulletproof hosting providers Zservers, AEZA and Yalishanda, and IP infrastructure firm Funnull Technology, aiming to disrupt services used by state-backed hackers and ransomware groups. The European Union enacted a transaction ban on A7A5 in its 19th sanctions package, and OFAC and the U.K.’s OFSI designated A7A5-linked entities in August 2025. In March 2025, OFAC removed decentralized mixer Tornado Cash from the Specially Designated Nationals list after a court ruled its autonomous smart contracts could not be treated as sanctionable property. Authorities have noted that privacy tools can be abused by illicit actors.

Researchers documented recurring methods across state-directed networks, including rebranding of services, chain-hopping between blockchains and reliance on stablecoins and centralized platforms for liquidity and interoperability. They found similar patterns across activity tied to Russia, Iran and North Korea, and a split pattern in Venezuela, where citizens use crypto for access to global finance while regime-linked facilitators experiment with stablecoin-for-oil trade.