Chainalysis: The volume of illegal transactions in the encryption field may hit a new high in 2025

Source: Chainalysis; Compiled by: Baishui, Golden Finance

Cryptocurrencies have become increasingly mainstream in recent years. While on-chain illegal activity previously centered around cybercrime, cryptocurrencies are now also being used to fund a variety of threat actors, from national security to consumer protection. As cryptocurrencies gain more acceptance, illegal activities on the chain become more diverse. For example, some illicit actors operate primarily off-chain but move funds on-chain for money laundering.

We report annually on certain defined categories – stolen funds, darknet markets, and ransomware, to name a few. However, as cryptocrime has diversified to include all types of crime, the on-chain illicit ecosystem has witnessed increasing professionalization, with an increasing number of organizations and networks of illicit actors using cryptocurrencies, and their operations becoming increasingly complex. In particular, we have seen the emergence of large-scale on-chain services that provide infrastructure for many types of illicit actors to help them launder money.

How do these developments unfold on the chain? Let’s take a look at the data and overall trends.

According to our indicators today, the value received by illicit cryptocurrency addresses appears to have dropped to $40.9 billion in 2024. However, 2024 is likely to be a record year for inflows from illicit actors, as these numbers are based on lower-end estimates of the inflows into illicit addresses we have identified to date.

A year from now, these totals will be higher as we identify more illegitimate addresses and incorporate their historical activity into our estimates. For example, when we released last year's crypto crime report, we reported $24.2 billion in 2023. One year later, our latest estimate for 2023 is $46.1 billion. Much of the growth comes from various types of illicit actor organizations, such as providers operating through Huione, which provide on- chain infrastructure and money laundering services to high-risk and illicit actors.

It makes sense that illegal cryptocurrency trading volume will exceed 2023 in 2024. Since 2020, our annual estimates of illegal activity, including evidence attribution and Chainalysis Signals data, have increased by an average of 25% during the annual reporting period. Assuming a similar growth rate in crypto crime reporting between now and next year, our annual total in 2024 could exceed the $51 billion threshold.

Generally, our totals exclude proceeds from non-crypto-native crimes, such as traditional drug trafficking and other crimes that may use cryptocurrencies as a means of payment or money laundering. Such transactions are nearly indistinguishable from legitimate transactions in on-chain data, although law enforcement with off-chain information can still use Chainalysis solutions to investigate these crimes. If we are able to confirm this information, we will count these transactions as illegal in our data. For example, our 2022 data already includes $8.7 billion in creditor claims against FTX since its former CEO was convicted of fraud. However, it is almost certain that in many cases we will not have such confirmation, so these numbers will not be reflected in our totals.

How big will crypto crime be in 2024?

• Currently known illicit addresses have received $40.9 billion, but based on historical trends we estimate the total could be closer to $51 billion

• Accounting for 0.14% of the total transactions on the chain

Estimates of illegal trading activity include:

• Funds were sent to an address we determined to be illegal

• Funds stolen by cryptocurrency hackers

Estimates of illegal trading activity do not include:

• Funds sent to addresses that we have not determined to be illegal. Why? Because we don't know yet that they're illegal. But we will update our numbers on a rolling basis as we identify more.

• Funds from non-crypto-native crimes, except cases brought to our attention by clients. Why? Because without more information, these transactions cannot be proven to be illegal.

• Funding linked to extremist groups. Why? Because definitions of what constitutes extremism are often subject to interpretation and are inconsistent across jurisdictions.

• Funds linked to crypto platforms accused of fraud without court conviction. Why? Because only a judge and jury can make that decision.

• Trading volume associated with potential market manipulation. Why? Because our research heuristic is designed to catch instances of suspected market manipulation based on on-chain behavior, it is not conclusive.

At the time of publication, we are seeing a year-over-year decline in the absolute value of illegal activity; however, based on historical growth rates, we suspect that as data attribution improves, this number will eventually exceed last year's total. Additionally, our estimate of the share of all attributed crypto trading volume related to illegal activity (shown in the chart below) has also declined from 0.61% in 2023 to 0.14%. Again, we expect this ratio to rise over time, although historically, these ratios have always been below 1%. [1]

We are also seeing continued trends in the types of assets involved in crypto crimes.

In 2021, BTC is undoubtedly the cryptocurrency of choice among cybercriminals, likely due to its high liquidity. However, since then, we have observed steady diversification into BTC, with stablecoins now accounting for the vast majority of all illicit transaction volume (63% of all illicit transactions). This new reality is part of a broader ecosystem trend, in which stablecoins also account for a significant proportion of all crypto activity, as evidenced by stablecoin activity increasing by approximately 77% year-over-year. In our Cryptocurrency Geography 2024 report, we cover a wide range of real-world use cases for stablecoins across a range of markets, such as storing value, remittances, and facilitating cross-border payments and international trade. Additionally, stablecoin issuers often freeze funds if they become aware that illegal actors are using the funds. For example, Tether froze addresses of concern related to fraud, terrorist financing, and sanctions evasion, which could make the stablecoin a poor vehicle for illegal actors to transfer value.

Still, despite these ecosystem-wide trends, some forms of cryptocrime, such as ransomware and darknet market (DNM) sales, continue to be dominated by BTC. The popular privacy coin Monero, although an increasingly important part of the DNM ecosystem, was not included in this report’s analysis. Other illegal activities, such as fraud or money laundering, often take a more eclectic approach and are spread across all asset types. Other illegal activities, such as transactions related to sanctioned entities, have primarily turned to stablecoins. Sanctioned entities (including individuals operating in sanctioned jurisdictions) generally have a greater incentive to use stablecoins because of the challenges of obtaining U.S. dollars through traditional means while hoping to benefit from the stability of the U.S. dollar.

Below, we take a closer look at three key trends that will define cryptocrime in 2024 and will be important to watch going forward.

Stolen funds and scams remain rampant

Stolen funds increased approximately 21% year-on-year to $2.2 billion. While the largest share of stolen funds came from decentralized finance (DeFi) services, it was centralized services that received the most attention in the second and third quarters. Private key leaks accounted for the largest share of stolen cryptocurrencies in 2024 (43.8%), and North Korean hackers stole more funds from crypto platforms than ever before: $1.34 billion, or 61% of the total amount stolen for the year. Some of these incidents appear to be related to North Korean IT workers, who are increasingly infiltrating encryption and web3 companies, compromising their networks, and using sophisticated tactics, techniques, and procedures (TTPs).

High-tech and low-tech fraud and scams are rampant in 2024, with high-yield investment scams and pig-killing scams being the most successful types of fraud and scams. We are also observing the increasing use of artificial intelligence (AI) in fraud and scams, such as highly personalized sextortion attacks. This use of AI is consistent with a broader trend in a range of illegal cyber crimes, as services that use AI to bypass know-your-customer (KYC) requirements have emerged. Fraud and scam operators are also taking advantage of guaranteed services like Huione (discussed below), while crypto ATM scams are a growing concern, especially related to elder fraud.

Ransomware remains focus, darknet markets and scam stores drop

Ransomware revenue continues to reach hundreds of millions of dollars, but a series of massive multilateral law enforcement disruptions, combined with victims' reduced willingness to pay ransoms, has taken a toll on the ecosystem. Still, 2024 was a productive year, as attack volumes were relatively stable and some ransomware groups still managed to eke out ransom payments - albeit lower amounts.

Darknet markets garnered $2 billion, compared with nearly $2.3 billion in 2023, while the number of fraudulent stores fell by a little more than half, to $220.1 million. The number of fraudulent stores has dropped significantly, in part due to the massive shutdown in the United States and the Netherlands of the Universal Anonymous Payment System (UAPS), a crypto payment processor that facilitated transactions for hundreds of fraudulent stores including Brian Dumps and Faceless .

The crypto-crime landscape is increasingly diverse and specialized

Cryptocurrencies are increasingly used by a range of illicit actors, including transnational organized crime groups, to commit traditional crimes such as drug trafficking, gambling, intellectual property theft, money laundering, human and wildlife trafficking, and violent crime. Additionally, some criminal networks are resorting to cryptocurrencies to facilitate multiple crimes or multiple crime types. In fact, of the total $40.9 billion received by illicit crypto addresses in 2024, $10.8 billion came from "illicit actor groups," our definition of those who directly commit cybercrimes such as hacking, extortion, trafficking, or fraud. A collective term for services and personal wallets, and those who facilitate such activity by selling the infrastructure, tools and services needed to commit crimes and profit, including money laundering as a service.

Perhaps no entity illustrates the professionalization of the crypto-criminal ecosystem better than the online marketplace Huione Guarantee. As highlighted in our mid-2024 crypto crime update, Huione and all vendors operating on its platform have processed more than $70 billion in crypto transactions since 2021. The platform provides the infrastructure to facilitate the sale of fraud technology and handles on-chain transactions for pig killing and other frauds and scams, addresses reported as stolen funds, sanctioned entities such as the Russian exchange Garantex, fraudulent shops, children Sexually abusive material as well as gambling websites and casinos, etc.

Note:

[1] Trading volume is a measure of all attributed economic activity and a proxy for money changing hands. This year, we adjusted our methodology to only include transactions involving at least one attributed entity, while removing strip chains, internal service transactions, transactions between two personal wallets, change, and anything else that is not considered a distinct economic actor The type of transaction between economic transactions.