A report released by TRM Labs analyzing data through 2025 shows that criminals stole $158 billion in digital assets last year, marking a sudden increase in the value of illegal activity after years of decline.
However, the report released on Wednesday said that the rise in totals still points to a continued decline in the percentage of overall cryptocurrency activity associated with bad actors (1.2% of trading volume) behind increasingly professional state-backed operations backed by sophisticated infrastructure.
“We’re seeing stablecoin activity around $4 trillion in 2025, which shows how quickly the legal ecosystem is growing,” said Ari Redbord, global head of policy at TRM. “Even with this growth, illicit activity still accounts for only about 1.2% of the total. That said, that 1.2% It exists, and it’s pretty much what comes to mind — ransomware attacks on hospitals, seniors losing their life savings to scams, and state actors like North Korea using cryptocurrencies to fund weapons programs.”
The report comes as the illicit financial use of cryptocurrencies is a focus of debate among U.S. lawmakers working to legislate the cryptocurrency market structure. Democrats are insisting on tougher protections against criminal conduct than were included in an earlier draft of the bill being considered by two Senate committees. So far, the two parties have not been able to reach a mutually satisfactory version, although the Senate Agriculture Committee is still scheduled to hold hearings on Thursday. If the hearings take place, illicit finance will remain a top concern.
TRM said the significant increase in sanctions-related cryptocurrency activity was “largely driven by Russia-related flows.” Ruble-backed stablecoin A7A5 saw $72 billion in inflows, and a cluster of wallets called A7 may be linked to more than $39 billion in Russian sanctions evasion, the company said.
Citing activity in Venezuela and China, the report noted: “While Russia-linked networks have largely driven sanctions-related cryptocurrency trading volumes, a more significant shift has been the institutionalization of cryptocurrency orbits by other sanctioned actors.”
As for cryptocurrency hacks, these incidents cost nearly $3 billion in losses in 2025, a figure higher than the previous year, although about half of that was caused by a single attack on Bybit in February. While there have been a total of 150 thefts from hackers and breaches this year, the losses have been concentrated in a handful of larger incidents.
“Sophisticated actors, particularly those associated with North Korea, are no longer just exploiting code — they are compromising the operational foundations of crypto asset services and their surrounding ecosystems,” the report states. Infrastructure attacks account for most of the damage.
According to TRM, North Korean hacking operations are using “Chinese laundromats” to move stolen assets into the hands of subcontracted money launderers who use chain skipping and fragmentation techniques to complicate tracking. “This specialization complicates recovery because the faster stolen assets move through layered intermediaries, the narrower the window for interception,” the report said.
