As political support for cryptocurrency grows and the industry achieves mainstream adoption, a significant and persistent challenge remains: the flow of illicit funds through major exchanges. A recent investigation by the International Consortium of Investigative Journalists (ICIJ) and The New York Times has revealed that at least $28 billion tied to criminal activity has moved through these platforms in a two-year period1. This figure highlights a systemic vulnerability that persists even as the industry publicly promotes its security and legitimacy. For security professionals, understanding the mechanisms behind this illicit finance is critical to developing effective countermeasures.
The problem is not confined to the dark web’s fringes. The investigation traced funds from sophisticated threat actors, including state-sponsored hacking groups from North Korea and operators of complex fraud schemes like “pig butchering.” These criminal proceeds are laundered through a complex network of services, exploiting a critical regulatory gap in how non-custodial crypto services are governed under existing anti-money laundering (AML) laws like the U.S. Bank Secrecy Act (BSA)3. This creates a formidable challenge for global financial security, pitting advanced criminal exploitation against an evolving regulatory and law enforcement response.
The Scale of Illicit Finance and Enforcement Challenges
The sheer volume of illicit funds is staggering. The ICIJ/Times investigation found that the $28 billion originated from a wide array of criminal sources, including hackers, thieves, and extortionists1. This flow of “dirty money” is facilitated by major exchanges that are simultaneously engaging in high-profile partnerships and seeking regulatory approval. The report specifically names Binance, which participated in a $2 billion deal with a Trump-affiliated crypto firm, as a major recipient of these illicit flows. This contradiction underscores the dual nature of the crypto ecosystem as both a legitimate financial frontier and a conduit for criminal proceeds. The scale of the problem has reportedly overwhelmed law enforcement agencies, with one investigator noting that they “can’t cope with the overwhelming amount of illicit activity in the space”1.
Criminal Operations and the Role of Transnational Groups
The sources of these illicit funds are often highly organized criminal enterprises. A landmark action by the U.S. Department of the Treasury in October 2025 targeted the Prince Group Transnational Criminal Organization (TCO), a Cambodian-based conglomerate led by Chen Zhi2. This TCO operates industrial-scale “scam compounds” that are the source of devastating “pig butchering” schemes. In these scams, victims are lured into online relationships over months before being convinced to invest in fraudulent crypto platforms, resulting in losses of life savings. The operation is doubly cruel, as the scammers are often themselves victims of human trafficking, forced to work under threat of violence2. U.S. losses to such Southeast Asia-based scam operations were estimated at $10 billion in 2024 alone.
Parallel to this, the Huione Group was identified as a critical financial facilitator, laundering at least $4 billion in illicit proceeds between 2021 and 20252. This included at least $37 million from cyber heists carried out by North Korean state-sponsored hackers. The U.S. Financial Crimes Enforcement Network (FinCEN) issued a ruling to sever Huione Group from the U.S. financial system, highlighting its role as a laundrymat for both state-level cybercrime and large-scale fraud. These actions demonstrate the sophisticated, multi-layered nature of the criminal organizations leveraging the crypto ecosystem.
The Technical Mechanics of Crypto Money Laundering
Money laundering in the crypto space follows the traditional stages of placement, layering, and integration, but uses specialized tools perfect for the layering stage3. The key differentiator is between custodial and non-custodial service providers. Custodial providers, like Binance or Coinbase, take control of user funds and are subject to AML regulations. The primary vulnerability lies with non-custodial providers, which do not take custody of assets and thus often fall outside current regulatory frameworks. This category includes unhosted wallets (e.g., MetaMask), Decentralized Exchanges (DEXs) like Uniswap, and non-custodial mixers like Tornado Cash3.
DEXs function through smart contracts that enable peer-to-peer swaps without an intermediary holding funds. A criminal can use a DEX to swap between different cryptocurrency assets (e.g., from DAI to USDT), breaking the transaction trail on the public blockchain. The smart contract enforces atomic settlement, meaning the swap only completes if all conditions are met, and requires the user to pay a gas fee. Crucially, the user maintains exclusive control over their private keys and assets throughout this process; the DEX merely provides the software infrastructure3. Non-custodial mixers further obfuscate funds by pooling and scrambling cryptocurrencies from multiple users, making it exceptionally difficult to trace the origin of specific funds. A 2022 study indicated that nearly 10% of all funds held by illicit entities were laundered through such mixers3.
A typical laundering workflow for a threat actor would be: structuring large amounts into smaller transactions, using DEXs to swap between asset types, sending funds through a non-custodial mixer to anonymize the payment history, and finally cashing out the “cleaned” cryptocurrencies via a custodial exchange’s off-ramp to convert to fiat currency3. This process leverages the regulatory black hole surrounding non-custodial services to avoid detection.
The Regulatory Gap and Legal Framework
The core of the problem is a misalignment between decades-old financial regulations and modern cryptographic technology. The U.S. Bank Secrecy Act (BSA) is the cornerstone of AML law, but it operates on a “control-based principle.” It mandates that financial intermediaries which have control over payment assets must comply with customer identification, monitoring, and recordkeeping requirements3. The BSA’s definition of a “money transmitting business” requires an entity to “accept and transmit” funds. Because non-custodial service providers never “accept” or take custody of the assets, they are deemed to fall outside this definition and are therefore not obligated to perform Know Your Customer (KYC) checks, monitor for suspicious activity, or keep records for law enforcement3.
This creates a significant loophole. As articulated in legal analysis, “through unhosted wallets, DEXs, and non-custodial mixers, bad actors can anonymously or pseudonymously launder dirty money without concern for regulatory detection and scrutiny”3. Federal courts have consistently held that cryptocurrencies qualify as “funds,” but the legal framework has not adapted to address entities that facilitate transactions without ever taking custody. Academic proposals suggest a more nuanced framework for analyzing control, examining not just asset custody, but also a service’s role in payment clearing and settlement, and its governance power over the underlying smart contracts3.
Relevance and Remediation for Security Teams
For security teams, this landscape presents distinct challenges. Threat intelligence units must expand their monitoring to include blockchain analytics, tracking wallet addresses associated with known TCOs like the Prince Group or state actors like North Korean hacking groups. Security Operations Center (SOC) analysts should be aware that corporate crypto transactions could inadvertently interact with laundered funds, creating reputational and legal risks. Indicators of Compromise (IoCs) in this context are not just malicious IPs or hashes, but also cryptocurrency addresses and transactions linked to sanctioned entities or known illicit services.
From a defensive standpoint, organizations involved with crypto assets should implement rigorous transaction screening processes. This involves using blockchain analysis tools to trace the origin and destination of funds, ensuring they do not originate from mixers or wallets associated with sanctioned addresses. Strong internal controls and KYC procedures are essential, even if not legally required for all transaction types. For law enforcement and policy-focused roles, advocating for updated legal frameworks that address the three dimensions of control—clearing, custody, and governance—is a necessary long-term strategy to close the regulatory gap exploited by criminals.
The convergence of political support for crypto and the entrenchment of sophisticated criminal networks within its infrastructure creates a complex security environment. The $28 billion in illicit funds is a symptom of a system where technological innovation has outpaced regulatory oversight. While the industry promotes its mainstream adoption, security professionals must contend with the reality that major exchanges are processing billions in criminal proceeds, facilitated by a class of services operating in a regulatory blind spot. Understanding the technical methods of obfuscation and the legal limitations of current AML frameworks is the first step toward developing more effective detection, prevention, and policy responses to this ongoing challenge.
References
- “The Crypto Industry’s $28 Billion in ‘Dirty Money’,” International Consortium of Investigative Journalists (ICIJ) and The New York Times, Nov. 2025.
- “U.S. Department of the Treasury Takes Sweeping Action Against Cybercriminal Networks in Southeast Asia,” U.S. Department of the Treasury, Oct. 2025.
- “The Regulatory Gap in Crypto Money Laundering: Non-Custodial Services and the Bank Secrecy Act,” University of Chicago Business Law Review, 2025.
